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Abstract 

We present a new model for deterministic-by-construction parallel programming that generalizes existing single¬ 
assignment models to allow multiple assignments that are monotonically increasing with respect to a user-specified 
partial order. Our model achieves determinism by using a novel shared data structure with an API that allows only 
monotonic writes and “threshold” reads that block until a lower bound is reached. We give a proof of determinism 
for our model, discuss ways to express existing deterministic parallel models using it, and describe how to extend it 
to support a limited form of nondeterminism that admits failures but never wrong answers. 


1 Introduction 

Programs written using a deterministic-by-construction model of parallel computation always produce the same ob¬ 
servable results, offering programmers the promise of freedom from subtle, hard-to-reproduce nondeterministic bugs. 
A common theme that emerges in the study of diverse deterministic-by-construction parallel systems, from venerable 
models like Kahn process networks (KPNs) m to modern ones like Intel’s Concurrent Collections (CnC) system 
m, is that the determinism of the model hinges on some notion of monotonicity. In KPNs, for instance, processes 
communicate over FIFO channels with ever-increasing channel histories, while in CnC, a shared data store of single¬ 
assignment variables grows monotonically. 

Because state modifications that only add information and never destroy it can be structured to commute with one 
another (and thereby avoid insidious race conditions), it stands to reason that monotonic data structures play a key 
role in the design of deterministic-by-construction parallel programming models. Yet there is little in the way of a 
general theory of monotonic data structures as a basis for deterministic, shared-state concurrency. As a result, models 
like CnC and KPNs emerge independently, without recognition of their common basis. In this paper we take a step 
towards a more general theory. 

We begin with an example. Consider the program in Figure [lj a), written in a hypothetical programming language 
with locations, standard get and put operations on locations, and a let par form for parallel evaluation of multiple 
subexpressions. Depending on whether get l or put l 4 executes first, the value of v might be either 3 or 4. Hence 
Figure |TJa) is nondeterministic: multiple runs of the program can produce different observable results based on choices 
made by the scheduler. 

A straightforward modification we can make to our hypothetical language to enforce determinism is to require 
that variables may be written to at most once, resulting in a single-assignment language m. Such single-assignment 
variables are sometimes known as and are a well-established mechanism for enforcing determinism at the 

language and library level (8] [26] [7] [18] and even at the hardware level 0. In a language with IVars, the second call 
to put in Figure [lja) would raise an error, and the resulting program, since it would always produce the error, would 
be deterministic. 

IVars enforce determinism by restricting the writes that can occur to a variable. However, the single-write restric¬ 
tion can be weakened as long as reads are also restricted. In Figure [TJb), we modify get to take an extra argument, 
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1 IVars are so named because they are a special case of I-structures 


f3l —namely, those with only one cell. 



(a) 


(b) 


(c) 


let _ = put l 3 in 
let par v — get l 
_ = put M 


let _ = put l 3 in 
let par v = get 1 4 

_ = put l 4 


let _ = put l 3 in 
let par v = get 1 4 

_ = put l 4 
_ = put l 5 
in v 


Figure 1: Three example programs: (a) nondeterministic, (b) deterministic with a threshold read, and (c) deterministic 
with a threshold read that returns the specified threshold value. 


representing the minimum value that we are interested in reading from v. If the value of l has not yet reached 4 at the 
time that get l 4 is ready to run, the operation blocks until it does, giving put l 4 an opportunity to run first. Assuming 
(as we do) that the scheduler will eventually decide to run both branches of the let par expression. Figure [IJb) is de¬ 
terministic and will always evaluate to 4. Moreover, if we had written get l 5 instead of get l 4, the program would be 
guaranteed to block forever. 

Our tweak fixes the specific program in Figure [lJb). But what if multiple subcomputations are writing to l in 
parallel, all with values greater than or equal to four? Competing puts land us back where we started—Figure [TJc) 
might evaluate to either 4 or 5 without further restrictions. Therefore we propose a design in which, if a minimum or 
“threshold” value specified by a get operation has been reached, then the get operation returns that minimum value. 
This get restriction is not as draconian as it may seem; later we will see how the total order in these examples can be 
relaxed to a partial order, and potentially infinite sets of threshold values may be specified. Together, monotonically 
increasing puts and minimum-value gets yield a deterministic-by-construction model, guaranteeing that every program 
written using the model will behave deterministically. 

Our proposed model generalizes IVars to LVars, thus named because their states can be represented as elements 
of a user-specified partially ordered set that forms a bounded join-semilattice. This user-specified partially ordered 
set, which we call a domain, determines the semantics of the put and get operations that comprise the interface to 
LVars. In Figure [ljc), for instance, the domain that determines the semantics of put and get might be the natural 
numbers ordered by <. The LVar model is general enough to subsume the IVar model—as well as other deterministic 
parallel models—because it is parameterized by the choice of domain. For example, a domain of channel histories 
with a prefix ordering would allow LVars to become FIFO channels that implement a Kahn process network. Different 
instantiations of the domain result in a family of parallel languages, all of which are deterministic. This family of 
languages is exactly the class of languages that deal with asynchronous, data-driven parallelism ED, which is critical 
for irregular parallel applications such as graph algorithms. 

An example application that uses rich, shared data structures and that processes irregular data is Hindley-Milner 
type inference. In a parallelized type-inference algorithm, each type variable becomes an LVar, and upward movement 
in the lattice represents type unification. Another example is the problem of removing duplicates from a list in parallel. 
One solution is for multiple computations to insert elements into a single, shared set data structure, with a domain 
ordered by subset inclusion. 

Monotonically increasing variables naturally lend themselves to a variety of parallel operations on data structures 
in a way that single-assignment variables do not. For instance, in the duplicate-removal example, the shared set might 
be represented by a trie. Consider then inserting two keys, say, om and nil, into the trie from different points in the 
parallel computation. Supposing that o represents “left” and l “right”, there would seem to be no conflict—the two 
operations are filling in disjoint parts of the data structure. However, if the trie were implemented with IVars, each 
operation would need to fill in a chain of IVars, populating the tree from the root to the leaf in question. To retain 
determinism, IVars do not allow testing for emptiness, so there would be no way for one put operation to know if 
another had already populated the root of the trie. Moreover, if both operations attempted to create a new node and 
then insert it into the IVar at the root of the trie, then we would cause a violation of the single-assignment rule. This is 
a limitation of IVars that LVars solve. 
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Contributions In this paper, we introduce LVars as the building block of a model of deterministic parallelism (Sec¬ 
tion |2| and use them to define Auvar, a parallel calculus with shared state based on the call-by-value A-calculus (Sec¬ 
tion |3J. As our main technical result, we present a proof of determinism for ALVar (Section |4}. A critical aspect of 
the proof is a frame-rule-like property, expressed by the Independence lemma (Section [4~3] >, that would not hold in a 
typical language with shared mutable state, but holds in our setting because of the semantics of LVars and their put/get 
interface. We present evidence that Aiwar is sufficiently expressive to model two paradigms of deterministic parallel 
computation: shared-state, single-assignment models, exemplified by the Intel Concurrent Collections framework 0 
and the monad-par Haskell library ED, and data-flow networks, exemplified by Kahn process networks m (Sec¬ 
tion |5j. Finally, we describe an extension to the basic Alvot model: destructive observations, enabling a limited form 
of nondeterminism that admits failures but not wrong answers (Section |6]>. 


(a) 




Figure 2: Example domains: (a) IVar containing a natural number; (b) pair of natural-number-valued IVars; (c) < 
ordering. Subfigure (b) is annotated with example threshold sets that would correspond to a blocking read of the first 
or second element of the pair (see Sections [231 and [L2| . Any state transition crossing the “tripwire” for getSnd causes 
it to unblock and return a result. 


2 Domains, Stores, and Determinism 

We take as the starting point for our work a call-by-value A-calculus extended with a store and with communication 
primitives put and get that operate on data in the store. We call this language ALVar- The class of programs that we 
are interested in modeling with ALVar are those with explicit effectful operations on shared data structures, in which 
subcomputations may communicate with each other via the put and get operations. 

In this setting of shared mutable state, the trick that A^ar employs to maintain determinism is that stores contain 
LVars, which are a generalization of IVars 0. Whereas IVars are single-assignment variables—either empty or filled 
with an immutable value—an LVar may have an arbitrary number of states forming a domain (or state space) D, which 
is partially ordered by a relation C. An LVar can take on any sequence of states from the domain D, so long as that 
sequence respects the partial order—that is, updates to the LVar (made via the put operation) are inflationary with 
respect to C. Moreover, the interface presented by the get operation allows only limited observations of the LVar’s 
state. In this section, we discuss how domains and stores work in ALVar and explain how the semantics of put and get 
together enforce determinism in ALVar programs. 

2.1 Domains 

The definition of Ai^ar is parameterized by the choice of a domain D: to write concrete Ai^ar programs, one must 
specify the domain that one is interested in working with. Therefore ALVar is actually a family of languages, rather 
than a single language. Virtually any data structure to which information is added gradually can be represented as a 
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Alvqt domain, including pairs, arrays, trees, maps, and infinite streams. Figure[2]gives three examples of domains for 
common data structures. 

Formally, a domain D is a bounded join-semilattice (^] In other words: 

• D comes equipped with a partial order C; 

• every pair of elements in D has a least upper bound (lub) U; 

• D has a least element _L and a greatest element T. 

The simplest example of a useful domain is one that represents the state space of a single-assignment variable (an 
IVar). A natural-number-valued IVar, for instance, would correspond to the domain in Figure [2]a), that is, 

D = ({T,±} UN, C), 

where the partial order C is defined by setting ICdCT and d C d for all d £ D. This is a lattice of height three 
and infinite width, where the naturals are arranged horizontally. After the initial write of some n £ N, any further 
conflicting writes would push the state of the IVar to T (an error). 

The motivation for requiring domains with the given structure is as follows: 

• the least element, _L, is needed to initialize store locations; 

• the greatest element, T, is needed to denote “conflicting” updates to store locations; 

• the requirement that every two elements must have a lub means that it is always possible to fork a computation 
into subcomputations that can independently update the store and then join the results by taking the lub of 
updates to shared locations. 

2.2 Stores 

During the evaluation of a Alvot program, a store S keeps track of the states of LVars. Each LVar is represented by a 
binding from a location l, drawn from a set Loc, to its state, which is some element d £ D. Although each LVar in a 
program has its own state, the states of all the LVars are drawn from the same domain D. We can do this with no loss 
of generality because lattices corresponding to different types of LVars could always be unioned into a single lattice 
(with shared T and _L elements). Alternatively, in a typed formulation of A^var, the type of an LVar might determine 
the domain of its states. 

Definition 1. A store is either a finite partial mapping S : Loc ^5 (D — {T}), or the distinguished element Tg. 

We use the notation S[l i—> d\ to denote extending S with a binding from l to d. If l £ dom(S), then S[l t—» d] denotes 
an update to the existing binding for l, rather than an extension. We can also denote a store by explicitly writing out 
all its bindings, using the notation [Zi i—> di, l 2 1—» d 2 , • ■ •]■ The state space of stores forms a bounded join-semilattice, 
just as D does. The least element _Lg is the empty store, and Tg is the greatest element. It is straightforward to lift the 
C and U operations defined on elements of D to the level of stores: 

Definition 2. A store S is less than or equal to a store S' (written S Cg S') iff: 

• S' = Tg, or 

• dom(S) C dom(S') and for all l £ dom{S ), S(l) C S'(l). 

Definition 3. The least upper bound (lub) of two stores Si and S2 (written Si Ug S2) is defined as follows: 

• Si Ug S 2 = Tg iff there exists some l £ dom(Si) D dom(S 2 ) such that Si(l) U S 2 (l) = T. 

2 Although we will sometimes abbreviate “bounded join-semilattice” to “lattice” for brevity’s sake in the discussion that follows, ALVar domains 
do not, in general, satisfy the properties of a lattice. 
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• Otherwise, $% Us S 2 is the store S such that: 


- dom(S) = dom(Si) U dom(S 2 ), and 

- For all l G dom(S): 

( S X {1) U S 2 (l) if l G dom(S{) n dom(S 2 ) 

5(0 = Si(l) if l(jtdom(S 2 ) 

{ S 2 (l) if l £ dom(S\) 

By Definition [5] if d\ U d 2 = T, then [l 1—> d x ] LI 5 [l 1—*■ d 2 ] = Tg. Notice that a store like [l t-4 T] can never arise 
during the execution of a Alvm program, because (as we will see in Section [3]» an attempted write that would take the 
state of l to T would raise an error before the write can occur. 

2.3 Communication Primitives 

The new, put, and get operations create, write to, and read from LVars, respectively. The interface is similar to that 
presented by mutable references: 

• new extends the store with a binding for a new LVar whose initial state is X, and returns the location l of that 
LVar (i.e., a pointer to the LVar). 

• put takes a pointer to an LVar and a singleton set containing a new state; it updates the store, merging the current 
state of the LVar with the new state by taking their lub, and pushes the state of the LVar upward in the lattice. 
Any update that would take the state of an LVar to T results in an error. 

• get performs a blocking “threshold” read that allows limited observations of the state of an LVar. It takes a 
pointer to an LVar and a threshold set Q, which is a non-empty subset of D that is pairwise incompatible , 
meaning that the lub of any two distinct elements in Q is T. If the LVar’s state d in the lattice is at or above 
some d! G Q, the get operation unblocks and returns the singleton set {d'}. Note that d' is a unique element of 
Q, for if there is another d" ^ d! in the threshold set such that d" C d, it would follow that d’ U d" = d ^ T, 
which contradicts the requirement that Q be pairwise incompatible. 

The intuition behind get is that it specifies a subset of the lattice that is “horizontal”: no two elements in the subset can 
be above or below one another. Intuitively, each element in the threshold set is an “alarm” that detects the activation 
of itself or any state above it. One way of visualizing the threshold set for a get operation is as a subset of edges in the 
lattice that, if crossed, set off the corresponding alarm. Together these edges form a “tripwire”. This visualization is 
pictured in Figure^b). The threshold set {(_L, 0), (X, 1),...} (or a subset thereof) would pass the incompatibility test, 
as would the threshold set {( 0 ? X), ( 1 ,X|,...} (or a subset thereof), but a combination of the two would not pass. 

Both get and put take and return sets. The fact that put takes a singleton set and get returns a singleton set (rather 
than a value d) may seem awkward; it is merely a way to keep the grammar for values simple, and avoid including set 
primitives in the language (e.g., for converting d to {d}). 

2.4 Monotonic Store Growth and Determinism 

In IVar-based languages, a store can only change in one of two ways: a new binding is added at X, or a previously 
X binding is permanently updated to a meaningful value. It is therefore straightforward in such languages to define 
an ordering on stores and establish determinism based on the fact that stores grow monotonically with respect to the 
ordering. For instance. Featherweight CnC 0 , a ligh tweight, single-assignment imperative language that models the 
CnC system, defines ordering on stores as follows Jj 

Definition 4 (store ordering, Featherweight CnC). A store 5 is less than or equal to a store S' (written 5 S') iff 

dom(S) C dom(S') and for ah l G dom(S), S(l) = S'{1). 

3 In Featherweight CnC, the store interface is simpler still: no store location is ever bound to _L. Instead, if l £ dom(S) then l is defined to be 
at ±, and a location springs into existence at the time that its permanent value is written. 
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Given a domain D with elements d £ D: 


configurations a 
expressions e 
values v 
threshold set literals Q 

stores S 


( S; e) | error 

x | v | e e | new | put e e | get e e | convert e 

l \ Q \ Xx.e 

{di,d2, ■ ■ ■ ,d n } | {d | pred(d)} 

(where pred (d) is computable) 

Tg | [h >-> di, h • •] 

(where d t ^ T) 


Figure 3: Syntax for Aiwar- 

Our Definition [2] is reminiscent of Definition^ but Definition |4] requires that S(l) and S'(l) be equal, instead of our 
weaker requirement that S(l) C S'(l) according to the user-provided partial order t* In Auvar, stores may grow by 
updating existing bindings via repeated puts, so Definition |4] would be too strong; for instance, if 1 r di E ( h 
for distinct di, di £ D, the relationship [/ 1 —> d-\] [l 1 —> d 2 ] holds under Definition |2j but would not hold under 
Definition |4] That is, in Aiwar an LVar could take on the state d\ followed by di, which would not be possible in 
Featherweight CnC. We establish in Section [4] that Alvot remains deterministic despite the relatively weak relation 
given in Definition [2] The keys to maintaining determinism are the blocking semantics of the get operation and the 
fact that it allows only limited observations of the state of an LVar. 


3 Ai. Var : Syntax and Semantics 

The syntax and operational semantics of Alvot appear in Figures [ 3 ] and |4] respectively]^] As we’ve noted, both the 
syntax and semantics are parameterized by the domain D. The operational semantics is defined on configurations 
( S ; e) comprising a store and an expression. The error configuration, written error, is a unique element added to the 
set of configurations, but we consider (Tg; e) to be equal to error, for all expressions e. The metavariable 0 ranges 
over configurations. 

Figure [4] shows two disjoint sets of reduction rules: those that step to configurations other than error, and those 
that step to error. Most of the latter are merely propagating existing errors along. A new error can only arise by way 
of E-ParAppErr, which represents the joining of two conflicting subcomputations, or by way of the E-PutValErr 
rule, which applies when a put to a location would take its state to T. 

The reduction rules E-New, E-PutVal, and E-GetVal in Figure [4] respectively express the semantics of the 
new, put, and get operations described in Section |2.3| The incompatibility property of the threshold set argument 
to get is enforced in the E-GetVal rule by the incomp(Q) premise, which requires that the least upper bound of 
any two distinct elements in Q must be T^Jlhe E-Put- I/E-Put-2 and E-Get- I/E-Get-2 rules allow for reduction 
of subexpressions inside put and get expressions until their arguments have been evaluated, at which time the E- 
PutVal (or E-PutValErr) and E-GetVal rules respectively apply. Arguments to put and get are evaluated in 
arbitrary order, although not simultaneously]^] 

3.1 Fork-Join Parallelism 

Alvot has an explicitly parallel reduction semantics: the E-ParApp rule in Figure fallows simultaneous reduction of 
the operator and operand in an application expression, so that (eliding stores) the application e\ e 2 may step to e! x e' 2 . 
In the case where one of the subexpressions is already a value or is otherwise unable to step (for instance, if it is a 

4 In addition to the version of ALVar presented here, we have developed a runnable model of a variant of ALVar using the PLT Redex semantics 
engineering toolkit m Our Redex model and test suite are available at https : / /github. com/lkuper/lambdaLVar-redex 

s Although incomp(Q) is given as a premise of the E-GetVal reduction rule (indicating that it is checked at runtime), in a real implementation 
the incompatibility condition on threshold sets might be checked statically, eliminating the need for the runtime check. In fact, a real implementation 
could forego any runtime representation of threshold sets. 

6 It would, however, be straightforward to add to the semantics E-ParPut and E-ParGet rules analogous to E-ParApp, should simultaneous 
evaluation of put and get arguments be desired. 
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Given a domain D with elements d £ D, and a value-conversion function 5: 

incomp{Q) = V a,b e Q. (a # 6 =► T) | ■-: - V- ■ ' j 

(where (S': e') f error) 


E-Refl E-ParApp 

(S; ei> <Si; e' x ) (S; e 2 > «—► (S 2 ; e' 2 ) <SJ; e' 1 r > = renome«Si; e'>, S 2 , 5) Sf U s S 2 jt T s 
<S; e) -- (S; e) <S; ei e 2 ) <—> (Sf U s S 2 ; ei r e' 2 ) 


E-PUT-1 E-Put-2 

(S; d) ^ (Si: e[) (S', e 2 ) 

‘—> <#§f$h> <5; putei e 2 > 

E-Get- 1 

(S- ei ) ^ (Sr; e[) 

(s ; get ei e 2 ) ‘—► (Si; get e' e 2 ) 

E-GetVal 

S(t) = d 2 incomp(Q ) QCD di G Q di C d 2 

(.V: got / y> ‘ ••*:{./,}> 

E-Beta 


<S; (A x.e)v)^(S-, e[x := u]> 


E-PutVal 

(S 2 ; ei) S(t) = d 2 <h 6 D i U d 2 # T 

<S 2 ; put ei e' > <S; put! {di}> (S[l « * U *]; {}> 

E-Get-2 

(S; e 2 ) (S 2 ; e^) 

(S; get ei e 2 > -- (S 2 ; getei e^> 

E-Convert E-ConvertVal 

(S; e) ^ (S'; e') _ 

(S; convert e) *—*: (S'; convert e) (S; converts) <—> (S; 5(u)) 

E-NEW 

(S; new) ‘—> (S[l i—> _L]; l) « * 


(S ; e> 


E-ReflErr E-ParAppErr 

_ (S:.,)-;S, : ry -(S 2 :A) As" ; - n »»»» «5 i; e^.Sjr.g) SlUsS2 = Ts 


error <—♦ error (% ! ei e 2 ) 1 —> error 


E-AppErr-1 

(S'; ei) <—* error 
(S; ei e 2 ) <■—> error 


E-AppErr-2 

(S; e 2 ) <—♦ error 
(S; ei e 2 ) <—> error 


E-PutErr-1 

(S; ei) <■—♦ error 
(S; putei e 2 ) <■—♦ error 


E-PutErr-2 

(S; e 2 ) <—» error 
(S; put ei e 2 ) <—* error 


E-GetErr- 1 

< S\ ei) error 

(S; get ei e 2 > error 


E-GetErr-2 

(S; e 2 > ‘—* error 
<S; getei e 2 ) -- ei 


E-ConvertErr 

<5; e) ^ error 
(S; convert e) ■—* error 


Figure 4: An operational semantics for ALVar- 




(a) 



Figure 5: A series-parallel graph induced by basic parallel A-calculus evaluation (a), vs. a non-series-parallel graph 
created by put/get communication (b). 


blocked get), the reflexive E-Refl rule comes in handy: it allows the E-ParApp rule to apply nevertheless. When the 
configuration (S; e\ e 2 ) takes a step, ei and e-2 step as separate subcomputations, each beginning with its own copy 
of the store S. Each subcomputation can update S independently, and the resulting two stores are combined by taking 
their least upper bound when the subcomputations rejoinQ 

Although the semantics admits such parallel reductions, ALVar is still call-by-value in the sense that arguments 
to functions must be fully evaluated before function application (/3-reduction, modeled by the E-Beta rule) can 
occur. We can exploit this property to define a syntactic sugar let par for parallel composition, which computes two 
subexpressions e\ and e 2 in parallel before computing e 3 : 


let par x = e\ 

V= e 2 = ((Aar. (A y. e 3 )) ei) e 2 

in e 3 

Although ei and e 2 are evaluated in parallel, e 3 cannot be evaluated until both e\ and e 2 are evaluated, because the 
call-by-value semantics does not allow /3-reduction until the operand is fully evaluated, and because it further disallows 
reduction under a A-term (sometimes called “full /3-reduction”). In the terminology of parallel programming, the above 
expression executes both a fork and a join. Indeed, it is common for fork and join to be combined in a single language 
construct, for example, in languages with parallel tuple expressions such as Manticore nm 

Since let par expresses fork-join parallelism, the evaluation of a program comprising nested let par expressions 
would induce a runtime dependence graph like that pictured in Figure |5ja). In the terminology of parallel algorithms, 
the ALVar language (minus put and get) can support any series-parallel dependence graph. Adding communication 
through put and get introduces “lateral” edges between branches of a parallel computation like that shown in Fig¬ 
ure |5jb). This adds the ability to construct arbitrary non-series-parallel dependency graphs, just as with first-class 
futures l23l . 

Conversely, to sequentially compose e\ before e 2 before e 3 , we could write the expression (As:. ((A y. e 3 ) e 2 )) ei. 
Sequential composition is necessary for ordering side-effecting put and get operations on the store. For that reason, 
full /3-reduction would be a poor choice, but parallel call-by-value gives Alv^ both sequential and parallel composition, 
without introducing additional language forms. 

7 A subtle point that E-ParApp and E-ParAppErr must address is location renaming: locations created while ei steps must be renamed to 
avoid name conflicts with locations created while e 2 steps. We discuss the rename metafunction as part of a more wide-ranging discussion in 
Section [4~I] 
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3.2 Programming with put and get 

For our first example of a ALVarJprogram, we choose our domain to be pairs of natural-number-valued IVars, represented 
by the lattice shown in Figure |2jb). With D instantiated thusly, we can write the following program^] 


let p = new in 
let _ = putp {(3,4)} in 
let v\ = get p {(_L, n) | n e N} in 
... m ... 


(Example 1) 


This program creates a new LVar p and stores the pair (3, 4) in it. (3, 4) then becomes the state of p. The premises of 
the E-GetVal reduction rule hold: S(p) = (3,4); the threshold set Q = {(J_, n) n G N} is a pairwise incompatible 
subset of D\ and there exists an element d± £ Q such that d\ C (3,4) in the lattice (D. C). In particular, the pair 
(_L, 4) is a member of Q, and (X, 4) C (3,4) in (D, C). Therefore, get p {{X, n) | n G N} returns the singleton set 
{(_L, 4)}, which is a first-class value in Auvar that can, for example, subsequently be passed to put. 

Since threshold sets can be cumbersome to read, we can define some convenient shorthands getFst and getSnd for 
working with the domain of pairs: 


getFst p = getp {(n,_L) | n G N} 
getSnd p = getp {(_L, n) | n G N} 

Querying incomplete data structures It is worth noting that getSnd p returns a value even if the first entry of p is 
not filled in. For example, if the put in the second line of ( |ExampleT| had been put p {(±,4)}, the get expression 
would still return {(_L, 4)}. It is therefore possible to safely query an incomplete data structure—say, an object that is 
in the process of being initialized by a constructor. However, notice that we cannot define a getFstOrSnd function that 
returns if either entry of a pair is filled in. Doing so would amount to passing all of the boxed elements of the lattice 
in Figure |2}b) to get as a single threshold set, which would fail the incompatibility criterion. 

Blocking reads On the other hand, consider the following: 

letp = new in 
let _ = putp {(±,4)} in 

let par vi = getFst p (Example 2) 

_ = put p {(3,4)} 
in .. .ui... 

Here getFst can attempt to read from the first entry of p before it has been written to. However, thanks to let par, the 
getFst operation is being evaluated in parallel with a put operation that will give it a value to read, so getFst simply 
blocks until put p {(3,4)} has been evaluated, at which point the evaluation of getFst p can proceed. 

In the operational semantics, this blocking behavior corresponds to the last premise of the E-GetVal rule not 
being satisfied. In ( |Example~2[ i, although the threshold set {(n, _L) n G N} is incompatible, the E-GetVal rule 
cannot apply because there is no state in the threshold set that is lower than the state of p in the lattice—that is, we are 
trying to get something that isn’t yet there! It is only after p’s state is updated that the premise is satisfied and the rule 
applies. 

3.3 Converting from Threshold Sets to A-terms and Back 

There are two worlds that ALVar values may inhabit: the world of threshold sets, and the world of A-terms. But if these 
worlds are disjoint—if threshold set values are opaque atoms—certain programs are impossible to write. For example, 


8 For clarity, ■ 


/ill write let x = ei in ei as a shorthand for {(\x. e %) ei). 







Frame rule (O’Hearn etal., 2001): 


M c {<?} 

{p * r} c {q * r} 




free variable in r is modified by c) 


Lemma[3](Independence), simplified: 


(g; e) 

(S U S S"; e) 


(S'-, e’) 

(S' U S S"; 


non-conflicting with (S; e) 


(S'; e'» 


Figure 6: Comparison of the frame rule with a simplified version of the Independence lemma. The * connective in the 
frame rule requires that its arguments be disjoint. 

implementing single-assignment arrays in Anvar requires that arbitrary array indices can be computed and converted to 
threshold sets. 

Thus we parameterize our semantics by a conversion function, 6 : v —*■ v, to which ALVar provides an interface 
through its convert language form. The conversion function can arbitrarily convert between representations of values 
as threshold sets and representations as A-terms. It is optional in the sense that providing an identity or empty function 
is acceptable, and leaves Alv^ sensible but less expressive (i.e., threshold sets are still first-class values, but usable 
only for passing to get and put)^] 


4 Proof of Determinism for Ai^var 

Our main technical result is a proof of determinism for the ALVar language. The complete proofs appear in Appendix|A| 

4.1 Framing and Renaming 

Figure[6]shows a frame rule, due to O’Hearn et al. l20l . which captures the idea that, given a program c with precondi¬ 
tion p that holds before it runs and postcondition q that holds afterward, a disjoint condition r that holds before c runs 
will continue to hold afterward. Moreover, the original postcondition q will continue to hold. For Ai^var, we can state a 
property that is analogous to the frame rule, but to do so we have to define a notion of non-conflicting stores. Given a 
transition (S; e) c —* (S'; e'), the set dom(S') — dom(S) is the set of names of new store bindings created between 
( S ; e) and (S'; e'). We say that a store S" is non-conflicting with the transition (S; e ) «—* (S': e!) iff dom(S") does 
not have any elements in common with dom(S') — dom(S). 

Definition 5. A store S" is non-conflicting with the transition ( S; e) 5 —> (S': e') iff (dorn(S') — dom(S)) fl 
dom(S") = 0. 

Requiring that a store S" be non-conflicting with a transition ( S; e) *—> (S': e') is not as restrictive a requirement 
as it appears to be at first glance: it is fine for S" to contain bindings for locations that are bound in S', as long as 
they are also locations bound in S. In fact, they may even be locations that were updated in the transition from (S; e) 
to (S'; e'), as long as they were not created during it. In other words, given a store S" that is non-conflicting with 
(S; e) 5 —* (S'; e'), it may still be the case that dom(S") has elements in common with dom(S), and with the subset 
of dom(S') that is dom(S). 

Renaming Recall that when Alvot programs split into two subcomputations via the E-ParApp rule, the subcompu¬ 
tations’ stores are merged (via the lub operation) as they are running. Therefore we need to ensure that the following 
two properties hold: 

9 A reasonable alternative definition of ALVar would remove threshold set values entirely and require that threshold set inputs and outputs to 
get/put be implicitly converted. Yet the language is deterministic even in its more general form—with first-class threshold sets—and we do not 
want to unduly restrict the language. 
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1. Location names created before a split still match up with each other after a merge. 

2. Location names created by each subcomputation while they are running independently do not match up with 
each other accidentally— i.e., they do not collide. 

Property (2) is why it is necessary to rename locations in the E-ParApp (and E-ParAppErr) rule. This renaming is 
accomplished by a call to the rename metafunction, which, for each location name Z generated during the reduction 
( S ; ex) c —> {Si; e',), generates a name that is not yet used on either side of the split and substitutes that name into 
{Si; e\) in place of Zq] We arbitrarily choose to rename locations created during the reduction of {S; ex), but it would 
work just as well to rename those created during the reduction of ( S; ef). 

Definition 6 . The rename metafunction is defined as follows: 

rename{- , ■, •) : o x S x S—> o 

rename{{S'; e), S”, S) = {S'; e)[h := l{] ...[l n := l' n ] 


where: 

• {lx.Z„} = dom{S') — dom{S), and 

• {l'i,..., l' n } is a set such that l\ £ ( dom{S ') U dom{S")) for i e [l..n]. 

However, property (1) means that we cannot allow a-renaming of bound locations in a configuration to be done at will. 
Rather, renaming can only be done safely if it is done in the context of a transition from configuration to configuration. 
Therefore, we define a notion of safe renaming with respect to a transition. 

Definition 7. A renaming of a configuration {S; e) is the substitution into {S; e) of location names l\...., l' n for 
some subset li,...,l n of dom{S). 

Definition 8. A safe renaming of {S'; e!) with respect to {S; e) c —» {S'; e') is a renaming of {S'; e') in which the 
locations li,... ,l n being renamed are the members of the set dom{S') — dom{S), and the names l[,..., l' n that are 
replacing Zx,..., l n do not appear in dom{S'). 

If {S"; e") is a safe renaming of {S'; e') with respect to {S; e) c —*■ {S'; e'), then S'' is by definition non-conflicting 
with ( S ; e) «—* {S'; e 1 ). 

4.2 Renaming Lemmas 

With the aforementioned definitions in place, we can establish the following two properties about renaming. Lemma[l] 
expresses the idea that the names of locations created during a reduction step are arbitrary within the context of that 
step. It says that if a configuration {S; e) steps to {S'; e'), then {S; e) can also step to configurations that are safe 
renamings of {S'; e') with respect to {S; e) *—> {S'; e'). 

Lemma 1 (Renaming of Locations During a Step). If {S; e) «—> {S'; e') (where (S'; e') f error) and {l -\..... l n } = 
dom(S') — dom(S), then: 

Forallsets {l'i,... ,l' n } such that l{ £ dom(S')fori e [l..n]: 

(S; e) — 

(SauuocMi ~ ^(l 1 )]... [l' n ~ S'(l n )]; e'[h := l []... (Z w := Q) 

(± error), 

where S 0 idiocs is defined as follows: dom(S 0 idiocs) = dom(S), and for all l G dom(S 0 idiocs ). S 0 idiocs{l ) = 

10 Since ALVar locations are drawn from a distinguished set Loc, they cannot occur in the user’s domain D —that is, locations in Aix/ar may not 
contain pointers to other locations. Likewise, A-bound variables in e are never location names. Therefore, substitutions like the one in Definition[6] 
will not capture bound occurrences of location names. 



Proof. See Appendix, Section [Adi 


fi 


Finally, Lemma [2] says that in the circumstances where we use the rename metafunction, the renaming it performs 
meets the specification set by Lemma [I] 

Lemma 2 (Safety of rename). If (S; e) c —> (S'-, e') (where ( S'; e') error) and S" f Tg, then: 

(S ; e) c —>• rename((S'-, e'),S",S). 


Proof See Appendix, Section [A2] 


ft: 


4.3 Supporting Lemmas 

Lemmas[3]|4] and[5]express three key properties that we need for establishing determinism. Lemma[3]expresses a local 
reasoning property: it says that if a transition steps from ( S ; e) to (S'; e'), then the configuration (S Ug S": e), where 
S" is some other store (e.g. , one from another subcomputation), will step to (S' Ug S''; e'). The only restrictions on S'' 
are that S' Ug S" cannot be Tg, and that S" must be non-conflicting with the original transition (S; e) c —» (S'; e’). 
Like the frame rule, the Independence lemma allows us to “frame in” a larger store around e and still finish the 
transition with e', with the non-conflicting requirement ruling out name conflicts caused by allocation. 

Lemma|4]handles the case where S' Ug S" = Tg and ensures that in that case, (SUsS"; e) steps to error. In either 
case, whether the transition results in (S' Ug S"; e') or in error, we know that it will never result in a configuration 
containing some other e" f e'. Finally, Lemma[5]says that if a configuration ( S ; e) steps to error, then evaluating e 
in some larger store will also result in error. 

Lemma 3 (Independence). If (S; e) <—> (S'; el) (where (S'; e') / error), then for all S" such that S" is non¬ 
conflicting with (S; e) c —* (S'; e') and S' Ug S" ^ Tg: 

(SU S S"; e)^(S'U s S"; e'). 

Proof. See Appendix, Section [A3] 

Lemma 4 (Clash). If (S; e) c —> (S'; e!) (where (S'; e') f error), then for all S" such that S" is non-conflicting 
with (S; e) 5 —>• (S'; e!) and S' Ug S" = Tg: 

(S Ug S"; e) *—* error. 

Proof. See Appendix, Section [A4] 'Ek 

lemma 5 (Error Preservation). If (S; e) c —> error and S Cg S', then (S'; e) =—> error. 

Proof. See Appendix, Section[A5] □ 

4.4 Diamond Lemma 

Lemma[6]does the heavy lifting of our determinism proof: it establishes the diamond property (or Church-Rosser prop¬ 
erty 0). which says that if a configuration steps to two different configurations, there exists a single third configuration 
to which those configurations both step. 

Lemma 6 (Diamond). If i t 1 —> o a and a c —» a>„ then there exists o c such that either: 

• o a 1 —* cr c and Ob c —* a c , or 

• there exists a safe renaming o' b of Ob with respect to o 5 —* Ob, such that o a c —* o c and o' b c —* a c . 


Proof. See Appendix, Section [A6] 


□ 


We can readily restate Lemma[6]as Corollary[l] 

Corollary 1 (Strong Local Confluence). If a = — * o' and o 5 — > a", then there exist o c , i,j such that o' c — o c and 
o" c —> J o c and i < 1 and j < 1. 


Proof. Choose i = j = 1. The proof follows immediately from Lemma [6] 


□ 
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By induction hypothesis, there exist a c , 
C S ;<%> (S-, 

/ X / 

Na, 

(= (S -,e > or error) 


To show: There exists a c such that 
(S-, h eJ 


<*V %> 
! (= 


Figure 7: Diagram of the subcase of Lemma [6] in which the E-ParApp rule is the last rule in the derivation of both 
o c —*• t T a and cr c —> 07,. We are required to show that, if the configuration (S'; e\ e 2) steps by E-ParApp to two 
different configurations, (S 01 Us S tt2 ; e Ul e a . 2 ) and (S{, 1 Us Sf, 2 ; ej, e& 2 ), they both step to some third configuration 

< 7 C . 


4.5 Confluence Lemmas and Determinism 

With Lemma [6] in place, we can straightforwardly generalize its result to multiple steps, by induction on the number 
of steps, as Lemmas [ 7 ] [8] and [ 9 ] show, ]**] 

Lemma 7 (Strong One-Sided Confluence). If o c —> a' and o c —> m o", where 1 < to, then there exist a c , i, j such 
that o' 1 —d o c and a" c — <j c and i <m and j < 1. 

Proof. See Appendix, Section [AS] □ 

Lemma 8 (Strong Confluence). Ifc r c — a' and a 1 a", where 1 < n and 1 <m, then there exist o c , i,j such 
that o' 1 —> l o c and o" c —> J o c and i < m and j < n. 

Proof. See Appendix, Section [A(8| □ 

Lemma 9 (Confluence). If o c —>* o' and o c —A cr", then there exL'fa o c such that o' * — o c and o" c —>* o c . 
Proof. Strong Confluence (Lemma[8]) implies Confluence. □ 

Theorem 1 (Determinism). Ifo 5 — o' and o 5 —>* 0", and neither o' nor o" can take a step except by E-Refl or 
E-ReflErr, then o' = o". 

Proof. We have from Lemma[9]that there exists <r c such that o' 5 —>* o c and o" 5 —>* cr c . Since o' and o" can only 
step to themselves, we must have o' = o c and o" = <r c , hence o' = o". □ 

5 Modeling Other Deterministic Parallel Models 

In this section, we present evidence that the Alv^ programming model is general enough to subsume two rather dif¬ 
ferent families of deterministic-by-construction parallel computation models. The first category is single-assignment 
models, from which we’ll take Intel’s Concurrent Collections framework 0 and Haskell’s monad-par library lfl8l 
as two examples. The second is data-flow networks, specifically Kahn process networks (KPNs) mi In Section [7] 
we discuss additional models that are related to, but not directly modeled by, ALVar- 

11 Lemmas [7][8] and[9]are nearly identical to the corresponding lemmas in the proof of determinism for Featherweight CnC given by Budimlic 
et a/.Q. We also reuse Budimlic et al.'s naming conventions for Lemmas [5] through [6] but the statements and proofs of those lemmas differ 
considerably in our setting. 
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5.1 Concurrent Collections 


In Section [2/T] we mentioned the Featherweight CnC language and its monotonically growing memory store. Feather¬ 
weight CnC is a simplified model of the Concurrent Collections (CnC) Q language for composing graphs of “steps”, 
more commonly known as actors, which are implemented separately in a general-purpose language (C++, Java, 
Haskell, or Python). To begin execution, a subset of steps are invoked at startup time. Each step, when executed, 
may perform puts and gets on global, shared data collections (tables of IVars), as well as send messages to invoke 
other steps. The steps themselves are stateless, except for the information they store externally in the aforementioned 
tables. 

The role of monotonicity has been understood, at least informally, in the design of CnC. However, this has not— 
until now—led to a treatment of shared data collections as general as ALVar- Aiwar subsumes CnC in the following 
sense. If the language used to express CnC steps is the call-by-value A-calculus, then CnC programs can be translated 
to Alvm; each step would become a function definition, generated in the following way: 

• Each step function takes a single argument (its message, or in CnC terminology, its tag ) and returns {}—our 
unit, the empty threshold set—being executed for effect only. 

• All invocations of other steps (message sends) within the step body, are aggregated at the end of the function 
and performed inside a let par. This is the sole source of parallelism. The aggregation can be accomplished 
either statically, by a program transformation that moves sends, or by dynamic buffering of the outgoing sends. 

• The rest of the body of a step is translated directly: puts on data collections become ALVar puts; gets become 
become Alvm gets. 

The following skeleton shows the form of a program converted by the above method. It first defines steps, then 
launches the initial batch of “messages”, and finally reads whatever result is desired. 


let stepl = A msg. get ... ; put ...; 

let par _ = stepl ... 

_ = step2 ... 

_= step2 ... 

in {} 

in let step2 = ... 

in let datal = new - - global data collections 
in let par _ = stepl 33 - - invoke initial steps 

_ = step2 44 

in convert (get datal key) - - retrieve final result 

Somewhat surprisingly, the CnC programming model is not implementable in a parallel call-by-value A-calculus ex¬ 
tended only with IVars. In fact, it was this observation that began the inquiry leading to the development of ALVar- 
The reason is that CnC provides globally scoped, extensible tables of IVars, not just IVars alone. While a A-calculus 
augmented with IVars could model shared global IVars, or even fixed collections of IVars, it is, to our knowledge, 
impossible to create a mutable, extensible table data structure with IVars alone. 

Finally, if there were not already a determinism result for CnC (which is previous work by the second author and 
others 0), one could bootstrap determinism by proving that every valid step in a CnC semantics maps onto one or 
more evaluation steps for the translated version under the Alv^ semantics; that is, the Alvot encoding simulates all 
possible executions of the CnC program, and since it yields a single answer, so does the CnC program. 

5.2 The monad-par Haskell library 

The monad-par package for Haskell ED provides a parallel deterministic programming model with an explicit fork 
operation together with first-class IVars. monad-par uses explicit sequencing via a monad, together with Haskell’s 
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lazy evaluation. To translate monad-par programs to Alv:m-, evaluation order can be addressed using standard tech¬ 
niques, and ALVar can model monad-par’s fork operation with let par, using the method in Section [ tT] But because 
monad-par has no join operations (IVar gets being the only synchronization mechanism), it would be necessary to 
use continuation-passing style in the translation. If the original monad-par program forks a child computation and 
returns, the translated program must invoke both the fork and its continuation within a let par expression. 

Another wrinkle for translation of monad-par programs into Alv® is that while monad-par IVars may contain 
other IVars, LVars cannot contain LVars. This problem can be overcome by using a type-directed translation in which 
ach IVar is represented by the wide, height-three lattice shown in Figure j2fa), and multiple IVars are modeled by prod¬ 
uct lattices. For example, a location of type IVar (IVar Int, IVar Char) in monad-par would correspond 
to a lattice similar to that pictured in Figure |2jb). Chaining IVar type constructors, e.g., IVar (IVar (...)), 
would simply add additional empty states, repeatedly lifting the domain with a new _L. All these types create larger 
state spaces, but do not pose a fundamental barrier to encoding monad-par IVars as LVars. 

Although ALVar is a calculus rather than a practical programming language, the exercise of modeling monad-par 
in ALVar suggests practical extensions to monad-par. For example, additional data structures beyond IVars could be 
provided (e.g., maps or tries), using the ALVar translation to ensure determinism is retained. 

5.3 Kahn Process Networks 

Data-flow models have been a topic of theoretical m and practical lfl4l study for decades. In particular, Kahn’s 
1974 paper crystallized the contemporary work on data-flow with a denotational account of Kahn process networks 
(KPNs)—a deterministic model in which a network of processes communicates through single-reader, single-writer 
FIFO channels with non-blocking writes and blocking reads. Because Alv^ is general enough to subsume KPNs, it 
represents a step towards bringing the body of work on data-flow into the broader context of functional and single¬ 
assignment languages. 

To map KPNs into ALVar, we represent FIFOs as ordered sequences of values, monotonically growing on one end 
(i.e., channel histories ). In fact, the original work on KPNs m used exactly this representation (and the complete 
partial order based on it) to establish determinism. However, to our knowledge neither KPNs nor any other data-flow 
model has generalized the data structures used for communication beyond FIFOs to include other monotonically- 
growing structures (e.g., maps). 

An LVar representing a FIFO has a state encoding all elements sent on that FIFO to date. We represent sequences 
as sets of (index, value ) associations with subset inclusion as the order C. For example, {(0, a), (1, b)} encodes a 
two-element sequence. This makes it convenient to write threshold sets such as {(0, n) | n G N}, which will match 
any state encoding a channel history with a natural number value in position 0. 

In this encoding, the producers and consumers using a FIFO must explicitly keep track of what position they read 
and write, i.e., the “cursor”. This contrasts with an imperative formulation, where advancing the cursor is a side effect 
of “popping” the FIFO. A proper encoding of FIFO behavior writes and reads consecutive positions onlyp] 

But what of the deterministic processes themselves? In Kahn’s original work, they are treated as functions on 
channel histories without any internal structure. In a Alv^ formulation of KPNs, they take the form of recursive 
functions that carry their state (and cursor positions) as arguments. In Figure [8] we use self-application to enable 
recursion, and we express a stream filter filterDups that prunes out all duplicate consecutive numbers from a 
stream. 

Figure[8]assumes quite a bit in the way of syntactic sugar, although nothing non-standard. Church numerals would 
be needed to encode natural numbers, as well as a standard encoding of booleans. Because the encoding of Figure [8] 
will only work for finite executions, the cut argument tells filterDups how many input elements to process. The 
fourth argument, 1st, tracks the previously observed element on the input stream, that is, the state of the stream 
transducer. The second and third arguments to filterDups are the cursors that track positions in both the input and 
output streams. The convert function is necessary for computing threshold sets based on the values of cursors. 

This technique is sufficient for encoding arbitrary KPN programs into ALVar- It is by no means a natural expression 
of this concept, especially due to the fact that the input and output stream cursors must be tracked explicitly. However, 

12 In the ALVar abstraction we don’t address concrete representations or storage requirements for LVar states and threshold sets. In a practical 
implementation, one would expect that already-consumed FIFO elements would be garbage-collected, which in turn requires strict enforcement of 
consecutively increasing access only. 
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let filterDups = A f i\ i 2 1st cnt. 
let next = get inp (convert if) 

4 = if (1st = next) then i 2 

else put outp (convert (i 2 ,next))-, (i 2 + 1) 
in if ( cnt = 0) then {} 
else / / (*i + 1) 4 next ( cnt — 1) 
in f ilterDups f ilterDups 0 ... 
where convert i = {{(i, n)} \ n e N} 
convert (i,n) » {{(*,«)}} 

Figure 8: Process an input stream, removing consecutive duplicates, inp and outp are channels, globally bound 
elsewhere. 


with additional infrastructure for tracking stream cursors (and other state) by means of a state monad, the program 
given in Figure [8] could become significantly more idiomatic. 

6 Safe, Limited Nondeterminism 

In practice, a major problem with nondeterministic programs is that they can silently go wrong. Most parallel pro¬ 
gramming models are unsafe in this sense, but we may classify a nondeterministic language as safe if all occurrences 
of nondeterminism—that is, execution paths that would yield an incorrect answer—are caught and reported as errors. 
This notion of safe nondeterminism is analogous to the concept of type safety: type-safe programs can throw excep¬ 
tions, hut they will not “go wrong”. We find that there are various extension^] to a deterministic language make it 
safely nondeterministic. Here, we will look at one such extension: exact but destructive observations. 

We take as our motivating example the shared, increment-only counter of Figure ^c), and begin with the observa¬ 
tion that when the state of a shared counter has come to rest—when no more increments will occur—then its final value 
is a deterministic function of program inputs, and is therefore safe to read directly. The problem is determining when 
an LVar has come to rest. However, if the value of an LVar is indeed at rest, then we do no harm to it by corrupting 
its state in such a way that further increments will lead to an error. We can accomplish this by adding an extra state, 
called probation , to the domain D. The lattice defined by the relation C is extended thus: 

probation C T 

\/d e D. d % probation 

13 While not recognized explicitly by the authors as such, a recent extension to CnC for memory management incidentally fell into this category 

ED- 


let cnt = new in 


let sum = new in 


let par pi = (bump 3 sui 

n; bump-i cnt) 

p 2 = (bump 4 sui 

n; bumpi cnt) 

Ps = (bump 5 sui 

n; bumpi cnt) 

r = (get cnt 3; 

consume sum) 


in ...r... 


Figure 9: A deterministic program that makes destructive observations. 
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We then propose a new operation, consume, that takes a pointer to an LVar l, updates the store, setting V s state to 
probation , and returns a singleton set containing the exact previous state of l, rather than a lower bound on that state. 
The idea is to ensure that, after a consume, any further operations on l will go awry: put operations will attempt to 
move the state of l to T, which will cause the system to step to error. 

Figure [9] shows an example program that uses consume to perform an asynchronous sum reduction over a known 
number of inputs. In such a reduction, data dependencies alone determine when the reduction is complete, rather 
than control constructs such as parallel loops and barriers. In Figure [9] we use semicolon as sugar for sequential 
composition: for example, ei; e 2 rather than let = e-\ in e 2 . We also assume a new syntactic sugar in the form of a 
bump operation that takes a pointer to an LVar and increments it by one, with bump n l as an additional shorthand for 
n consecutive bumps to l. The get cnt 3 before the call to consume serves as a synchronization mechanism, ensuring 
that all increments are complete before the value is read. Three writers and one reader execute in parallel, and only 
when all writers complete does the reader return the sum, which in this case will be 3 + 4 + 5 = 12. 

The good news is that the program of Figure [9] is correct and deterministic; it will always return the same value 
in any execution. However, the consume primitive in general admits safe nondeterminism, meaning that, while all 
runs of the program will terminate with the same value if they terminate without error, some runs of the program may 
terminate in error, in spite of other runs completing successfully. To see how an error might occur, imagine an alternate 
version of the program of Figure[9]in which get cnt 3 is replaced by get cnt 2. This version would have insufficient 
synchronization. The program could run correctly many times—if the bumps happen to complete before the consume 
operation executes—and yet step to error on the thousandth run. Yet, with safe nondeterminism, it is possible to 
catch and respond to this error, for example by rerunning in a debug mode that is guaranteed to find a valid execution 
if it exists, or by using a data-race detector which will reproduce all races in the execution in question. We have 
implemented example interpreters and a race-detector for Alvet, available at http: //github. com/rrne wton/| 
lambda par_ inte rps| 


6.1 Syntactic Sugar for Counting 

Strictly speaking, if we directly use the lattice of Figure [2jc), the bump operation would not be possible. Therefore, 
rather than use the domain in Figure [2]+) directly, we can simulate it using a power-set lattice over an arbitrary alphabet 
of symbols {a, b, c ,...}, ordered by subset inclusion. LVars occupying such a lattice encode natural numbers using 
the cardinality of the subset^ Thus, a blocking get operation that unblocks when the count reaches, say, 3 would take 
a threshold set enumerating all the three-element subsets of the alphabet. 

With this encoding, incrementing a shared variable l requires put l {a}, where a £ {a, b, c ,...} and a has not 
previously been used. Thus, without any additional support, a hypothetical programmer would be responsible for 
creating a unique a for each parallel contribution to the counter. There are well-known techniques, however, for 
generating a unique (but schedule-invariant and deterministic) identifier for a given point in a parallel execution. One 
solution is to reify the position of an operation inside a tree (or DAG) of parallel evaluations. The Cilk Plus parallel 
programming language refers to this notion as the operation’s pedigree and uses it to seed a deterministic parallel 
random number generator 03. 

With this encoding, we can implement an expression unique, which, when evaluated, returns a singleton threshold 
set containing a single unique element of the alphabet: {a}. With the unique syntax, we can write programs like the 
following, in which two parallel threads increment the same counter: 


let sum = new in 

let par pi = (put sum unique; put sum unique) 
P2 = (put sum unique) 
in ... 


(Example 3) 


In this case, the pi and p 2 “threads” will together increment the sum by three. Notice that consecutive increments 
performed by p 2 are not atomic. With unique in place, bump l desugars to put l unique. The unique construct could 
be implemented by a whole-program transformation over a sugared Alvot expression. Figure [To] shows one possible 

14 Of course, just as with an encoding like Church numerals, this encoding would never be used by a realistic implementation. 
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[unique] = A p. convert p 

H = A p. v 
[Q] = A p. Q 
[Aw. e] = A p. Xv. [e] 

[new] = A p. new 

[el e2] = A p. (([el] L:p) ([e2] R:p) J:p) 
[put a 6] = A p. put ([a] L-.p) ([6] R:p) 

[get abj = A p. get ([a] L-.p) ([6] R:p) 
[convert e] = A p. convert ([e] p) 


Figure 10: Rewrite rules for desugaring the unique construct within ALVar programs. Here we use “ L“R-”, “J:” 
to cons onto the front of a list that represents a path within a fork/join DAG. The symbols mean, respectively, “left 
branch”, “right branch”, or “after the join” of the two branches. This requires a A-calculus encoding of lists, as well 
as a definition of convert that is an injective function from these list values onto the domain D. 


implementation. It creates a tree that tracks the dynamic evaluation of applications, and shows some similarity to a 
continuation-passing style transformation m. 

7 Related Work 

Work on deterministic parallel programming models is long-standing. In addition to the single-assignment and KPN 
models already discussed, here we consider a few recent contributions to the literature. 

Deterministic Parallel Java (DPJ) DPJ (6] is a deterministic language consisting of a system of annotations for 
Java code. A sophisticated region-based type system ensures that a mutable region of the heap is, essentially, passed 
linearly to an exclusive writer. While a linear type system or region system like that of DPJ could be used to enforce 
single assignment statically, accommodating Auvar’s semantics would involve parameterizing the type system by the 
user-specified domain—a direction of inquiry that we leave for future work. 

DPJ also provides a way to unsafely assert that operations commute with one another (using the commutes With 
form) to enable concurrent mutation. However, DPJ does not provide direct support for modeling message-passing 
(e.g., KPNs) or asynchronous communication within parallel regions. Finally, a key difference between the ALVar 
model and DPJ is that ALVar retains determinism by restricting what can be read or written, rather than by restricting 
who can read or write. 

Concurrent Revisions The Concurrent Revisions (CR) m programming model uses isolation types to distinguish 
regions of the heap shared by multiple mutators. Rather than enforcing exclusive access, CR clones a copy of the 
state for each mutator, using a deterministic policy for resolving conflicts in local copies. The management of shared 
variables in CR is tightly coupled to a fork-join control structure, and the implementation of these variables is similar 
to reduction variables in other languages (e.g., Cilk hyperobjects C3). CR charts an important new area in the 
deterministic-parallelism design space, but one that differs significantly from Alvot. CR could be used to model similar 
types of data structures—if versioned variables used least upper bound as their merge function for conflicts—but 
effects would only become visible at the end of parallel regions, rather than Avar's asynchronous communication 
within parallel regions. 

Bloom and Bloom ; In the distributed systems literature, eventually consistent systems ll25l leverage the idea of 
monotonicity to guarantee that, for instance, nodes in a distributed database eventually agree. The Bloom language for 
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distributed database programming m guarantees eventual consistency for distributed data collections that are updated 
monotonically. The initial formulation of Bloom m had a notion of monotonicity based on set containment, analogous 
to the store ordering for single-assignment languages given in Definition [4] However, recent work by Conway et 
al. (9) generalizes Bloom to a more flexible lattice-parameterized system, Bloom L , in a manner analogous to our 
generalization from IVars to LVars. Bloom 1, comes with a library of built-in lattice types and also allows for users to 
implement their own lattice types as Ruby classes. Although Conway et al. do not give a proof of eventual consistency 
for Bloom L , our determinism result for ALVar suggests that their generalization is indeed safe. Moreover, although 
the goals of Bloom differ from those of ALVar, we believe that Bloom L bodes well for programmers’ willingness to 
use lattice-based data structures like LVars, and lattice-parameterized languages based on them, to address real-world 
programming challenges. 

Quantum programming The A^var semantics is reminiscent of the semantics of quantum programming languages 
that extend a conventional A-calculus with a store that maintains the quantum state. Because of quantum parallelism, 
the quantum state can be accessed by many threads in parallel, but only through a restricted interface. As a concrete 
example, the language designed by Selinger and Valiron <221 allows only the following operations on quantum data: 

(1) “appending” to the current data using the tensor product; (2) performing a unitary operation that must, by definition, 
act linearly and uniformly on the data; and (3) selecting a set of orthogonal subspaces and performing a measurement 
that projects the quantum state onto one of the subspaces. These operations correspond roughly to Alva's new, put, and 
get. Quantum mechanics may serve as a source of inspiration when designing operations like consume that introduce 
limited nondeterminism. 


8 Conclusion 

As single-assignment languages and Kahn process networks demonstrate, monotonicity serves as the foundation of 
deterministic parallelism. Taking monotonicity as a starting point, our work generalizes single assignment to mono¬ 
tonic multiple assignment parameterized by a user-specified lattice. By combining monotonic writes with threshold 
reads, we get a shared-state parallel programming model that generalizes and unifies an entire class of monotonic 
languages suitable for asynchronous, data-driven applications. Our model is provably deterministic, and further pro¬ 
vides a foundation for exploration of limited nondeterminism. Future work will investigate implementation strategies, 
formally establish the relationship between Alv<u- and other deterministic parallel models, and prove the more limited 
guarantees provided by ALVar + consume. 
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A Proof of Determinism 

Definition 9. Two stores S and S' are equal iff: 

1. S = T s and S' = T s , or 

2. dom(S) = dom(S') and for all l £ dom(S), S(l ) = S’(l). 

A.l Renaming of Locations During a Step 

Lemma 1 (Renaming of Locations During a Step). If (S ; e) c —> (S'; e') (where (S'; e') f error) and {l -\..... l n } = 
dom(S') — dom(S), then: 

For all sets {l [,..., l' n } such that l\ ^ dom(S') for i £ [l..n]: 

(5; e) — 

(Soidiocs[l'i ~ S'(k)}... [l' n ~ S'(l n )}; e'[h := j ,..[l n := l' n ]) 

(f error), 

where S 0 i d u, cs is defined as follows: dom(S 0 idiocs) = dom(S), and for all l £ dom(S 0 i d i ocs ), S 0 m ocs (1) = S'(l). 

Proof By induction on the derivation of (S; e) c —» (S'; e'), by cases on the last rule in the derivation. Since 
(S'; el) f error, we only need to consider rules that step to non-error configurations. In cases where dom(S') — 
dom(S) = 0, then the only possible set ..., l' n } is also 0, so in such cases we need only show that (S; e ) c —> 

( Soldlocs ; e'). 

A.1.1 E-Refl 

• E-Refl: 

Given: (S; e) ‘—> (S; e). 

To show: (S; e) c —* (S 0 idiocs\ e), where 5 0 ;^ 0CS is defined as follows: dom(S 0 i c n OC s ) = dom(S), and for all 
l £ dom(S oIdlocs ), S oldlocs (l) = S(l). 

Since dom(S 0 i d i ocs ) = dom(S) and since for all l £ dom(S 0 i d i ocs ), S 0 i d i ocs {l) = S(l), we have by Definition [9] 
that S 0 i d i 0cs = S, so the case is immediate by E-Refl. 

A.1.2 E-ParApp 

• E-ParApp: 

(NB: For simplicity, we elide renaming of (Si; e\) in this case, and assume without loss of generality that 
location names created during the transition (S; ef) c —* (Si; e\) are distinct from those created during the 
transition (S; e 2 ) c —* (S2; e' 2 ).) 

Given: (S; ei e 2 ) *-—* (5i Ug S 2 ; e[ e' 2 ) and {li, ...,(„} = dom(Si U5 S 2 ) — dom(S). 

To show: For all sets {l [,..., l' n } such that l\ £ dom(Si U5 S 2 ) for i £ [l..n], 

(S; ei e 2 ) (S okUocs [l'i ^ (Si U S S 2 )(h)) (Si U s S 2 )(l n )]; (e[ e’ 2 )[h := l{] •••[(„ := Q), 

where S 0 i d i 0cs is defined as follows: dom(S 0 i d i ocs ) = dom(S), and for all l £ dorn(S 0 i d i„ cs ), S 0 uu ocs (l) = (Si U.5 
S 2 )(l). 

Consider arbitrary {l (,..., If} such that l\ f dom(Si LI5 S 2 ) for i £ [l..n]. 

From the first two premises of E-ParApp, we have that (S; ef) c —► (Si; e\) and (S; e 2 ) =—► (S 2 ; elf). 
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Since we assume that location names created during {S\ ei) '—> (S \; e\) are distinct from those created during 
(S; e 2 ) ¥—f (1S2; e^), and since {Zi,... ,l n } = dom(S\ Ug S2 ) — dom(S), then we have that dom(Si) — 
dom(S) = {h,...,lk} and dom(S2) — dom(S) = {l k +i, ■ ■ ■, Z n } for some k such that {li,...,l k } Ft 
{Zfc+i, • ■ ■, l n } = 0 and {h ,..., l k } W {l k+1 ,... ,l n } = {k,..., l n }. 

Then, by IH, we have the following two facts: 

1. For all sets {Z {,..., l' k } such that l\ £ dom(Si) for i g [l..fc]: 

(S', ei ) (S old i„ csl [l i &&)]... [l‘„ « St{k)}-, e[[h := Z{] ...[l k := l' k \) ± error, 

where S'oWtei is defined as follows: dom(S 0 idiocsi) = dom(S), and for all Z g dom(S 0 i d i OC si), S 0 idiocsi(l) = 
Si®. 

2. For all sets {l' k+1 , ■ ■ ■, l' n } such that l\ ^ dom{S2) for i g [k+l..n\. 

(5; e 2 ) — (S oldlocs2 [l’ k+i -» S 2 (l k+ i )}.. • [4 h- S 2 (Z n )]; e' 2 [Z fc+1 := Z' fc+1 ]... [Z n := 4]} / error, 
where S 0 i d i 0Cs2 is defined as follows: dom(S 0 i d i ocs2 ) = dom(S), and for all Z g dom(S 0 i d i ocs2 ), S 0 i d i 0Cs2 (l) = 

s 2 (0- 

Instantiate facts (l)and (2) with {Zi,..., 4} and {/{ +1 ,..., /{}, respectively, where {Z / ,,..., Z{.}n{Z{ +1 ,..., l' n } = 
0 and {Zi,... ,l' k } W {Z' fe+1 ,... ,l' n } = {l[,... 

Note that since Z' ^ dom(Si Ug S 2 ) for i g [l..n], it is also the case that l\ ^ dom{S\) for i g [l..fc] and that 
l\ dom{S 2 ) for i g [Zc+l..n], Therefore, we have that: 

1. (5; ei ) (S oldlocsl [l[ ~ Siih)] ...[l' k » S 1 (l k )\-, e'JZi := l[] ,..[l k := ZjJ) ^ error, where S oldlocsl 
is defined as follows: dom(S 0 i d io CSl ) = dom(S), and for all Z g dom(S 0 un OC si ). SoUBocl® = Si (Z). 

2. (5; e 2 ) —♦ (S oldlocs2 [l' k+1 ~ S 2 (lk+i)]...[l'n - 5 2 (Z„)]; e' 2 [Z fe+ i := Z' fc+1 ]... [Z n := Q) + error, 
where S' 0 ; ( /; 0Cs2 is defined as follows: dom(S 0 i d i ocs2 } = dom(S), and for all Z g dom(S 0 i d i ocs2 ), S 0 i d i 0Cs2 (l) = 

S 2 (Z). 


Since 

ISoMtocntZ; *- 5i(Zi)]... [Z' fe h* Si(l k )]: e^Z, := Zi]... [Z fc := Z^]} ^ error 
and 

(5 oMte2 [Zi +1 ~ S 2 (Z fe+ i)]... [Z; 5 2 (Z n )]; e' 2 [Z fe+1 := Z^ +1 ]... [Z„ := Z(J> ^ error, 

we have that 

SoUlocsAl’l ~ Si(h)\ ... [Z£ -► S!(l k )] ± Ts 
and 

^ Wte2 [ 4 + 1 n ^(Zfe+i)], . • [l’n ^ s 2 (l „)] ± TS. 

Further, since SrUgSg ^ Tg (from the third premise of E-ParApp) and since {Zi,..., ZJ,}n{Z , fe+1 ,..., l' n } = 0, 
we have that 

SokUocsiil’i ” Slit 1 )] [z;^ (Z fc )] Ug S oldlocs2 [l' k+1 ~ S 2 (lk+i )]... [z; ^ 5 2 (Z n )] ^ Tg. 

Therefore, by E-ParApp, we have that (5; ei e 2 ) steps to 

^ Si(Zi)] • • • [l’k ~ Si (Zfc)] S oldlocS 2[l' k+1 w 5 2 (Zfc+i)]... [z;« 5 2 (Z„)]; 
ei[Zr := Zi] [Z* := Z{] e' 2 [Z fc+1 := l' k+1 ]. [l n := 4]). 

It remains to show that the above configuration is equivalent to 

{SoidiocAl'i (Si Ug 5 2 )(Zi)] ... [4.i- (5i Ug S 2 )(Z„)]; (ei e' 2 )[h := l[]... [l n := 4]}, 
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which we show as follows. 

First, since dom(S 0 i d i ocsl ) = dom(S 0 i d i ocs2 ) = dom(S), we have that: 

(SaMlocsll^ ^ St(h)] . . . [l' k ^ Si(Zfc)]) Us {S oUlocs2 [l' k+1 ~ S 2 (h+l)) • • • [ I'n -> S 2 (Z»)]) 

= (s oldlocsl U S s oldlocs2 )[i[~ s 1 (h)]...[i’ k ~ Si(Zfc)][4 +1 - s 2 (i k+1 ))... [z; ^ s 2 (i n )}. 

Note that dom(S 0 i d i ocsl \J s S 0 i d i 0Cs2 ) = dom(S). Therefore dom(S 0 i d i ocsl UsSoidiocs 2 ) = dom(S 0 i d i ocs ). Further, 
by Definition [3] we have that for all l G dom(S oId i ocsl U s S 0 m ocs 2). (Soidiocsi Us S 0 i d i 0Cs2 )(l) = S 0 i dlocn (l) U 
SoWocs 2 (0 = Si(Z) U S 2 (Z) = (Si Us s 2 )(l) = SouiocS)- Therefore, by Definition^ we have that S oW / ocsl Us 
S 0 idiocs 2 = Soidiocs■ Continuing from above, then, we have that 

(Soldlocsl Us SoUiooM -> Si(h)\ Si(l k )][l’ k+1 S 2 (l k+ l)} S 2 (l n )] 

= S oldlocs [l[ ~ Si(h)] Si(l k )][l' k+1 ~ S 2 (Z fc+ i)] S 2 (Z n )]. 

Next, since {h,... ,l k } f\ {Z* + i,..., l n } = 0, we have that Z* £ dom(S 2 ) for i G [l..fc] and k dom(Si) for 
i G [Jb+l..n]. Therefore Si(k) = (Si U s S 2 )(k) for i G [l..k] and S 2 (h) = (Si U s S 2 )(k) for i G [fc+l..n], 
and so we have 

SoUUocsll'l ~ Si(h )J . . . [Z' fc ^ Si(l k )][l' k+1 ~ S 2 (l k+ l)] • • • [I'n ~ S 2 (Z n )] 

= w (Si U S S 2 )(Zi)] ■ ■ ■ ft - (Si U s S 2 )(l k )][V k+1 (Si U s S 2 )(Z fc +i)] . . . [Z{, w (S x U s S 2 )(Z„)] 

= S 0 J't *-* (Si U S S 2 )(Zi)]... [V n » (Si U S S 2 )(l n )). 

Finally, we need to show that [e\ e' 2 )[l-\ := [l n := l' n ] is equivalent to 

e 'l\h := l[) ... [l k := Z' fc ] 414+1 := 4+l] • ■ • [4 := l' n ]- 

Here, note that l k +1 .,l n cannot occur in e\ and h,...,l k cannot occur in e 2 . Therefore the above expression 

is equivalent to 

e[[h := l[] ...[l n := Q e’ 2 [h := l[ J ...[l n := Q, 
which is equivalent to e' 2 )[li := 4]... [l n := l' n ). Therefore we have that 

(S; ei e 2 ) ^ (S oldlocs [l[ « (Si U s S 2 )(Zi)]... [l' n ~ (Si U s S 2 )(Z n )]; (e[ e' 2 )[h := 4 ].. . [l n := Q), 
as we were required to show. 

A.1.3 E-Put-1 


E-Put-1: 

Given: ( S ; put ei e 2 ) *—► (Si; put e\ e 2 ) and {Zi,..., Z„} = dom(Si) - dom(S). 

To show: For all sets {Z^,..., l' n } such that Z' ^ dom(Si) for i G [l..n], 

(S; put ei e 2 ) (S 0 i dl0cs [4 -> Si(Zi)]... [V n ~ Si(Z„)]; (put 4 e 2 )[Zi := l[] [l n := Zjj), 

where S 0 i d i 0cs is defined as follows: dom(S 0 i d i ocs ) = dom(S), and for all Z G dom(S 0 i d i ocs ), S 0 i d i 0cs (l) = Si(Z). 
Consider arbitrary {l [,..., Z( t } such that l\ £ dom(Si) for i G [l..n]. 

From the premise of E-Put- 1, we have that (S; ei) =—> (S-\: e\). By IH we have that 

(S; ei)* (Souaoci 4 ^ Si(Zi)]... [l' n » Si(Z„)]; e'jZi := l []... [Z n := Z(J). 

Therefore, by E-Put- 1 we have that: 

(S; put ei e 2 ) » (S oWte [4 ^ S x (Zi)]... [l' n ~ Si(Z„)]; put e'JZi := 4]... [l„ := Q e 2 ). 
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Note that l x ,...l n do not occur in e2, for if some l t occurred in e2, then we would have /,; G dom(S), which 
contradicts {Zi,..., l n } = dom(S x ) — dom(S). Therefore e2 = e2[Zi := Z(]... [Z n := and so we have: 

(S', putei e 2 ) —> (S oldbKS [l'i ” Si(h )]... [l' n » S x (l n )]; put e'jZi := l[] ...[l n := Q e 2 [l x := l' x ] := Q) 

which is equivalent to 

<5; put ei e 2 ) (S oldlocs [l[ ~ S 1 (h)} Sx(l n )}-, (put e[ e 2 )[h := l []\... [l n := Q), 

as we were required to show. 

A.1.4 E-Put-2 


E-Put-2: 

Given: (£; put e x e 2 ) c —*> ( S 2 ; put e x e 2 ) and {Zi,..., l n } = dom(S 2 ) — dom(S). 

To show: For all sets {l \...., l' n } such that Z' £ dom(S 2 ) for i G [l..n], 

<5; put ei e 2 ) ^ (S oldlocs [l[ -> 5 2 (Zi)] ■ •. [l' n >-> S 2 (l n )]-, (put e x e' 2 )[h := l []... [l n := Q), 

where S 0 i d i 0cs is defined as follows: dom(S 0 idi OC s ) = dom(S), and for all Z G dom(S 0 idi OC s), S 0 i d i ocs {l) = S 2 (Z). 
Consider arbitrary {l[,..., l' n } such that l\ £ dom(S 2 ) for i G [l..n]. 

From the premise of E-Put- 2, we have that (S'; e 2 ) *—► (S 2 ; e 2 ). By IH we have that 

<S; e 2 ) —^ {S 0 idiocs[li ~ S 2 (h)} S 2 (l n )}-, e' 2 [h := l[] -..[In ~ Q)- 

Therefore, by E-Put- 2 we have that: 

<5; put ei ea) ^ {S„i dlocs [l'i ~ S 2 (l x )}... [l f n ~ S 2 (Z n )]: put e x e' 2 [l x := Zi]... [l n := Zjj). 

Note that l x ,...l n do not occur in e x , for if some Z,- occurred in ei, then we would have l, G dom(S), which 
contradicts (Zi,..., l n } = dom(S 2 ) — dom(S). Therefore e x = e-\ [Z x := Zi]... [Z n := l' n ], and so we have: 

(S’, put e x e 2 ) (S oldlocs [l[ ^ S 2 (h)} ... [Z{, -> S 2 (l n )]; pute^Zj := l[] ...[l n := Q e' 2 [h := [l n := Q) 

which is equivalent to 

<S; put ei e 2 ) {S oWocs [l i ^ S 2 {h)}... [l' n ~ S 2 (Q ]; (put e x e' 2 )[h ~ Zi]... [l n ~ Q), 

as we were required to show. 

A.1.5 E-PutVal 
E-PutVal: 

Given: ( S ; put Z {cZi}} 5 —> (S[l >—> d x U CZ2]; {}) (note that no new locations are created during this transition, 
since we already have Z G dom(S) from the S(l) = d x premise of E-PutVal). 

To show: (S; put Z {cZ-|}) 1 —* ( S 0 wocs\ {}), where S 0 uiocs is defined as follows: dom(S 0 idiocs) = dorn(S), and 
for all l' G dom(S 0 idiocs), Soidiocs(l') = (5[Z h-mZi U d 2 ])(l'). 

Since dom(S 0 idi 0 cs) = dom(S) = dom(S[l d x LI d 2 ]) and since for all l 1 G dom(S 0 i d i ocs ), S 0 idi 0C s{l') = 
(S[l 1—> cZi LI d 2 ])(l'), we have by Definition [9] that S 0 idi 0C s = S[l 1 —> cZi U CZ2], so the case is immediate by 
E-PutVal. 
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A.1.6 E-Get- 1 


Case E-Get- 1: Analogous to E-Put-1. 

A.1.7 E-Get-2 

Case E-Get- 2: Analogous to E-Put-2. 

A.1.8 E-GetVal 
E-GetVal: 

Given: (S; get l Q) 1 —*■ (£; {di}). 

To show: (5; get l Q) c —*• (, S 0 uiocs ; [ ( h })> where S„i d i ocs is dehned as follows: dom(S 0 idiocs ) = dorn(S), and 
for all V G dom(S oWocs ), S omocs (l') = S(l'). 

Since dom(S 0 i d i ocs ) = dom(S) and since for all l 1 G dom(S 0 i d i ocs ), S 0 i d i ocs {l’) = S(l'), we have by Definition^ 
that Soloes = S, so the case is immediate by E-GetVal. 

A.1.9 E-Convert 

E-Convert: 

Given: (5; convert e) c —* (S'-, convert e'} and {h,..., l n } = dom(S') — dom(S). 

To show: For all sets \l \,..., l' n } such that l\ £ dom(S') for i G [l..n], 

(. S ; convert e) =— {S 0 m>cs[li ^'(h)]... [l' n i-* 5'(Z W )]; (convert e')[h '■= l []... [ l„ ■= l' n ]), 
where S 0 i d i 0cs is defined as follows: dom(S 0 i d i ocs ) = dom(S), and for all l G dom(S 0 i d i ocs ), S 0 i d i 0cs (l) = S'(l). 
Consider arbitrary {l[,..., l' n } such that /' ^ dom(S') for i G [1 ..n]. 

From the premise of E-Convert, we have that (S\ e) c —» (S'; e'). By IH we have that 

(5; e) «— (S oldlo cs[l'i » S'(h)] S' (/„)]; e% := l\\... [l n := l' n \). 

Therefore, by E-Convert we have that: 

(. S ; convert e) *—* (S 0 i d i 0cs [l[ h-> S'(h)]... [l' n i-» 5 / (2»)]; convert e'[h '■= l[] ■■■[In ■= I*).), 
which is equivalent to 

(. S\ convert e) =—» (SmiocsWi ^'(h )] • • • [l' n <-> £'(Z»)]; (convert e')[h := l []... [Z„ := l' n ]), 
as we were required to show. 

A.1.10 E-ConvertVal 
E-ConvertVal: 

Given: (S', converts) *—* (S: S(v)). 

To show: (5; convert v) c —> (Smiocs', d(v)), where S 0 idi 0cs is dehned as follows: dom(S 0 i d i ocs ) = dom(S), 
and for all l G dom(S 0 i d i ocs ), S 0 uu 0cs (l) = 3(1). 

Since dom(S 0 i d i ocs ) = dom(S) and since for all l G dom(S 0 i d i ocs ), S 0 i d i ocs (l) = S(Z), we have by Definition^ 
that Smiocs = S, so the case is immediate by E-ConvertVal. 
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A.1.11 E-Beta 


• E-Beta: 

Given: (S; (Ax. e) v) c —► (S; e[x := u]). 

To show: (S; (Ax. e) «) *—> ( S 0 i d i 0cs ; e[x '■= w]), where S 0 i d i ocs is defined as follows: dom(S 0 i d i ocs ) = dom(S), 
and for all l G dom(S oldlocs ), S 0 i dlocs (l) = S(l). 

Since dom(S 0 i d i ocs ) = dom(S) and since for all l G dom(S 0 i d i ocs ), S 0 uuocs(l) = S(l), we have by Definition^ 
that S 0 i d i 0cs = S, so the case is immediate by E-Beta. 

A.1.12 E-New 


• E-New: 

Given: (S'; new) 5 —>• (S[l >->1). 

To show: For all V ^ dom(S[l h-> _L]), 

(S; new) (S oldlocs [l' » JL| l'), 

where S 0 i d i 0cs is defined as follows: dom(S„i d i ocs ) = dom(S), and for all l" G dom(S 0 i d i ocs ), S 0 i d i ocs {l") = 
(S[i» ±W). 

We have from the definition of S 0 i d i 0cs that dom(S 0 i d i ocs ) = dom(S). Then, since the transition (S; new) c —> 
(S[l i —>■ _L]; Z) does not update any existing bindings (since l dom(S) from the side condition of E-New), 
SoMiocJJ”) = S(l") for all l" G dom(S). So, by Definition^ S a uhcs = S. 

Therefore, we have only to show that ( S ; new) c —» (S[l' i— > ±]; l'), which is immediate by E-New since 
l’ £ dom(S), which follows from l' £ dom(S[l t-> _L]). 


□ 


A.2 Safety of rename 

Lemma [T] characterizes the circumstances under which location renamings are safe. In the context of a transition 
(S; e) 1 —> (S'; e'), it characterizes the set of safe renamings of S' as those that can be expressed as a store S 0 i d i 0cs 
(whose domain is equal to the domain of S, but whose codomain may differ from that of S because of updates to 
existing bindings), extended with bindings from each new location name to the value bound by the corresponding 
location name in S'. 

The rename metafunction, on the other hand, is defined algorithmically, it takes a configuration (S'; e') and stores 
S" and S as arguments and performs capture-avoiding substitution of new location names for the corresponding old 
ones in (S'; e'), where the names to be replaced and the names they are to be replaced with are chosen based on S" 
and S. In and of itself, the rename metafunction does nothing to ensure that the renaming it performs is “safe”—it 
is up to the caller to use it correctly. Lemma [2] shows that in the circumstances where we use rename —namely, the 
circumstances where a configuration (S; e) has stepped to (S'; e’) and there exists a third store S" ^ Tg—then the 
renaming rename((S'; e'), S", S ) meets the specification that Lemma[l]sets. 

Lemma 2 (Safety of rename). If (S; e) c —> (S'; e') (where (S'; e') f error) and S" ^ Tg, then: 

(S; e) c —* rename((S'; e'),S",S). 

Proof. From the definition of rename, we have that: 

rename((S'; e'),S", S ) = (S'; e')[h := l[]... [l„ := Q 

= (S% ■= l'i] «..[*» := Q\ e'[h := [l n := 4 ]), 


where: 
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• {Zi, -. -, l n } = dom(S') — dom(S), and 

• {Z{,..., l' n } is a set such that l\ £ (dom(S') U dom(S”)) for i g [l..n]. 

Therefore we need to show that ( S ; e) «—► {S'[l i := Z {]... [l n := l ' n ]; e'[Zi := Z{] := l' n ]), with {Zi,..., l n } 

and {Zj,..., l' n } defined as above. 

Applying LemmafTlto (S: e) 1 —> (S': e!) and {Zi,..., l n }, we have that for all sets {Zj,..., l' n } such that l\ 
dom(S') for i g fl..nj: 

(5; e) —. 

(SoidiocAl i -> S'(h )]... [l’ n HH. S'(l n )); e'ih := Zi] ...[l n := Q), 

where S 0 idi ocs is defined as follows: dom(S 0 idiocs) = dom(S), and for all Z g dom(S 0 idiocs ). Soidiocs(l ) = S'(l). 

Instantiate that result with {Zi,..., l' n }. Note that since l\ £ (dom(S') U dom(S")) for i g [l..n], we have that 
l\ £ dom(S') for i g [!..«]. Therefore we have that 

(5; e) (S oUloes [l'i ^ S'(h)}... [l' n « S'(l n )}-, e'[h := Zj ]... [Z n := Q). 

Since our goal is to show that 

(S; e) *-+ (S'[h := Zj] ...[l n := ZjJ; e% := Zj] ...[l n := l’ n ]), 

all that remains is to show that S '[Zi := Z{]... [Z n := l' n ] and S 0 i d i 0cs [l\ ^(Zi)] ... [l' n h->■ S"(Z„)] are equal. 

By Definition [9] we have to show that: 

• dom(S'[h := Zi]... [l n := l' n \) = dom(S oldlocs [l' 1 t-* 5'(Zi)],.. [V n *-* ^(4)]), and 

• for all Z" g dom(S'[h := Zi]... [l n := ZjJ), 

(S' [h := Zi] ...[In ~ Q)(l") = (SouaocS't S'(Zi)]... [l' n ~ S'(l n )])(f). 

For the first conjunct, dom(S 0 i d i OC s) = dom(S) by definition, so 

dom(S oldlocs [l( ^ S'(h)} ,.. [l' n ^ S'(l n ))) = dom(S) U {Zi, 

= dom(S) U {h ,..., Z„}[Zi := Zi]... [l n := Q 
= dom(S) U (dom(S') - dom(S))[h := Zj ]... [l n := l' n ] 

= dom(S) U (tZom(5 , )[Zi := Z{]... [l n := l’ n ] - dom(S)) 

(since U £ dom(S)) 

= dom(S) U dom(S')[h ■= Z{]... [Z„ := l' n \ 

= dom(S) U dom(S'[h := Zi]... [Z„ := I'J) 

= dom(S'[h :=Z{]...[Z„ := l' n \) 

(since dom(S) C dom(S') and k ^ dom(S)). 


For the second conjunct, there are two possibilities for l": 

• l" g dom(S): 

(S% :=Zi]...[Z„ :=l' n ])(l") = S'(l") 

(since Z, ^ dom(S)) 

= S 0 i d i 0cs (l ) 

(since S oUUocs (l) = S'(l) for all Z g dom(S omocs ) = dom(S)) 
= (SoidiocAA *-* s'M - •. [z; ~ s"(Zn)l)(z") 

(since additional bindings are irrelevant to the lookup of V). 
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• l" e 

(S'lh := i'll... [^ := /;])(/") = (K ^ S'(Zi) ~ S(i n mi") 

= (SolcUocs^ ~ S'(h) I... & ~ S%)])(1") 

(since additional bindings are irrelevant to the lookup of l"). 

Therefore S’[li := /(] := Z(J and S 0 idi ocs [li i—► S'(li)} ... [l' n m> S ,, (Z„)] are equal. Since both their stores and 

expressions are equal, then, we have that 

rename((S'; e'), S", S ) = (S oU iocs[l'i *-* S'(l i)]... [l' n >-* S'(Z„)]; e'[Zi := l[] ,..[l n := Q), 
as we were required to show. □ 

A.3 Independence 

Lemma 3 (Independence). If (S: e) c —* (S': e') (where (S '; e!) / error), then for all S" such that S" is non¬ 
conflicting with (S-, e) c —> (S': e!) and S' Ug S" 7^ 1 g: 

(SU s S"; e) (S' U S S"; e'). 

Proof Consider arbitrary S" such that S" is non-conflicting with ( S ; e) 5 —> (S': e!) and S' Ug S" f Tg. To show: 
(Su s S"-,e)^{S'u s S";e'). 

The proof is by induction on the derivation of ( S ; e) 5 —► (S': e'), by cases on the last rule in the derivation. Since 
(S'; el) f error, we only need to consider rules that step to non-error configurations. The requirement that S" is 
non-conflicting with (S; e) ‘—* (S'; e') is only needed in the E-New case. 

• Case E-Refl: 

Given: ( S; e) •—* (S; e), and S Ug S" ± % 

To show: ( S Ug S"; e) c —> (S Ug S"; e). 

The proof is immediate by E-Refl. 

• Case E-ParApp: 

Given: (S; ei e 2 ) *—* (S[ Ug S2; elf e'f), and (S'! Ug Sf) Ug S" 7^ Tg. 

To show: (S Ug S"; e\ e 2 ) 5 —* (( S[ Ug S 2 ) Ug S"; e'{ e' 2 ). 

From the premises of E-ParApp, we have that (S: ef) c —► (Si; e'f), (S; e 2 ) c —> (S 2 ; e 2 ), and (S\: e'{) = 
rename((Si; e[),S2,S). 

Since {S\ Ug S 2 ) Ug S" f Tg, we have that S 2 7^ Tg. Therefore, since (S; ei) 5 —> (Si; e\), by Lemma[2] 
we have that (S; ef) *—> rename((Si; e\). S 2 , S). Since (£[; e'{) = rename((Si; e(). S 2 . S), we have that 
(5; ei) —> (SI; e'{). 

Since (S{ Ug S2 ) Llg S" 7^ Tg, we know that S[ Ug S" 7^ Tg and S 2 Ug S" ± Tg. 

Therefore, by IH, we have that (S Ug S": ef) c —> Ug S": e'{) and that (S Ug S"; e 2 ) c —> (S 2 Ug S": e 2 ). 

Since (S{ Ug S2 ) Ug S" ± Tg, we have that (S x Ug S'") Ug ( S 2 Ug S") 7^ Tg. 

Therefore, by E-ParApp we have that (S Ug S"; ei e 2 ) <-—>• ((S\ Ug S") Ug (S 2 Ug S' 1 ): e'{ e 2 ). 

Since (S[ Ug S") Ug (S2 Ug S ") is equal to (£[ Ug S 2 ) Ug S", we have that (S Ug S"; ei e 2 ) c —* ((S[ Ug 
S 2 ) Ug S"; ef e' 2 ), as required. 

• Case E-Put- 1 : 

Given: (S; put ei e 2 ) ‘—>• {Si; put e[ e 2 ), and Si Ug S" 7^ Tg. 

To show: (S Ug S"; put e\ e 2 ) c —*■ (Si Ug S"; put e' x e 2 ). 

From the premise of E-Put- 1 , we have that (S; ef) c —> (Si; e\). Since Si Ug S" f Tg, by IH we have that 
{Su s S";ei)^(SiUgS";e' 1 ). 

Therefore, by E-Put -1 we have that (S Ug S"; put e x e 2 ) 1 —> (Si Ug S''; put e! x e 2 ), as required. 
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Case E-Put-2: 

Given: ( S ; put e 1 e 2 ) c —> (<S> 2 ; put ei e' 2 ), and S 2 U g S" ± T s . 

To show: (S U s S"; put e\ e 2 ) '*—* {S3 Us S”; put e\ e' 2 ). 

From the premise of E-Put- 2, we have that ( S; e 2 ) 1 —* {, S 2 ; e 2 ). Since S 2 Us S" ^ Ts, by IH we have that 
(SU s S";e 2 )^{S 2 U s S"-,e l 2 ). 

Therefore, by E-Put- 2 we have that (S Ug S''; put e T e 2 ) c —* (S 2 U s S"; put e :l e 2 ), as required. 

Case E-Get- 1: Analogous to E-Put-1. 

Case E-Get- 2: Analogous to E-Put-2. 

Case E-Convert: 

Given: ( S ; convert e) 1 —+ (S'; convert e'), and S' Us S" 7^ Ts. 

To show: ( S U s S"; convert e) =—* (S' U s S"; convert e'). 

From the premise of E-Convert, we have that ( S ; e) c —> (S'; e'). Since S' Us S" ^ Ts, by IH we have that 
(S Us S"; e) c —* (S' Us S"; e'). 

Therefore, by E-Convert we have that (S Us S"; convert e) *—> (S' Us S”; convert e'), as required. 

Case E-Beta: 

Given: (S; (Xx. e) v) c —* (S; e[x := u]), and S U s S" ^ Ts- 
To show: (S Us S"; (Xx. e ) v) *—> (S Us S"; e[x := u]). 

Immediate by E-Beta. 

Case E-New: 

Given: (S; new) c —> (S[l T]; l) (where l <£. dom(S)), S" is non-conflicting with (S; new) c —> (S[l h-> 
J_|; l), and S[l _L] U g S" ± T. 

To show: (S U s S new)«—» (S[l 1] U s S"; l). 

By E-New, we have that (S U s S"; new) c —>• (( S U s S tr )[l' .1 ]; l'}, where l' £ dom(S U s S"). One of 

the following two possibilities must hold: 

-V = 1. 

In this case, we immediately have that (S U s S"; new) c —> (( S U s S")[l h-> _L]; l). 

- I' ±1. 

In this case, we apply Lemma[l]to (S Us S"; new) c —> ((S Us 5")[Z / _L]; l'} and {/'}. Therefore, for 

all l" such that l" £ dom((S Us S")[l' h-> T]), 

(5 Us S"; new) (S oldloes [l" ^ ((S U s S")[V ~ T])(f)]; l'(l' := l"]) 

= (Soidbcsll" ^ J*]; l"), 

where Smiocs is defined as follows: dom(S 0 unocs) = dom(S Us S"), and for all l G dom(S 0 uiiocs), 
S oWocs (l) = ({SUsS")[V^l])(l). 

Note that since 1' £ dom(S U s S"), S oU i ocs (l ) = (S U s S")(l) for all l G dom(S 0 i d i ocs ). Therefore, since 
dom(S 0 idiocs) = dom(S Us S") and S 0 idi 0C s(l ) = (S Us S")(l) for all l G dom(S 0 i d iocs), the conditions of 
Definition [9] are satisfied, and S a idiocs = S Us S". 

Therefore, we have that for all l" such that l" £ dom((S Us S”) [l' _L]), 

(S Us S"; new) {(Su s S")[l" h* T] ; l"). 

Instantiate the above with l. Since S" is non-conflicting with (S; new) 5 —► (S[l i—> _L]; l), we know that 
l dom(S"), and we have from the side condition of E-New that l £ dom(S). Therefore I £ dom(S Us 
S"), and since l ± l'. we have that l £ dom((SUg S")[l' _L]). Therefore, (SUs S'': new) c —> ((S'Us 

S")(l^±];l). 
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So, regardless of whether l' = l or l' ^ Z, we can conclude (S Us S"; new) c —> ((S Us S")[l .1.]; Z). Then, 
since S" is non-conflicting with (S'; new) c —> (S[l 1—> _L]; Z), we have that l dom(S"), and we have from 
the side condition of E-New that I ^ dom(S). Therefore, we have: 

(S U s S")[l ^1] = S[l h* JL] Us S"[l ^ if 

= S U s [l 1 -* _L] Us S" U s [Z >-» X] 

= SU S [Z^X]U S S" 

= S[l Hk X] Us S". 

Therefore (S Us S"; new) 1 —* (S[l h-> X] Us S"; Z), as we were required to show. 

• Case E-PutVal: 

Given: (S; put Z {X}) *—* {S[l ^ X U X]; {}), and S[l ^ X U d 2 ] U s S" ^ T s . 

To show: (S U s S"; put Z {X}) *—► (S[l X U d 2 ] U s S"; {}). 

We have two cases: 

- Z ^ dom(S"). 

In this case, since S(l) = d 2 (from the premises of E-PutVal), we know that (S Us S")(Z) = d 2 . 

Therefore, hy E-PutVal, (S U s S"; put Z {X}) c —* (S[l X U d 2 ] L% S"; {}), as we were required 

to show. 

- Z G dom(S"). 

Since S(l) = d 2 (from the premises of E-PutVal), we know that (S Us S")(l) = d 2 , where d 2 X d’ 2 . 
We show that X U d' 2 7^ T, as follows: 

* Since S[l X U d 2 ] U s S" ^ T s , we know that (S[l i-> X U d 2 ])(l) U S"(l) ± T. 

* Therefore, we have: 

T^(S[l^d 1 Ud 2 ])(l)\JS"(l) 

= x U x U S"(l) 

= d 1 uS(l)uS"(l) 

= s(i)us"(l)ux 

= x U (S' Us S") (Z) 

= X U d 2 

Since (S' Us S") (l) = d 2 and X U d 2 ^ T, by E-PutVal we have that 

(SUs S"; put Z {X}) — ((S U s S")[l ~ x U 41 ; {}}■ 

It remains to show that (S Us S") [Z 1—>• X U d' 2 \ is equal to S[l h-> X U X] Us S". 

By Definition |9j to show that the stores are equal, we have two requirements to satisfy: 

* dom((S Us S"')[Z X LI d 2 ]) = dom{S[l X LI d 2 ] Us S"), and 

* for all V, ((S U S S")[Z ^ X U d' 2 ])(f') = ( S[l «XU X] U s S")(Z')- 
The first requirement follows from the observation that 

dom{{S U s S"')[Z X LI d 2 ]) = dom(S U s S") U {Z} 

= dom(S) U {Z} U dom(S") 

= dom(S[l X U X]) U dom(S") 

= dom(S[l X U X] Lis dom(S")). 

For the second requirement, we have two cases to consider: 


(since (S[l h»XU X])(Z) = X U X) 
(since S(Z) = X) 
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V =fll: In this case, bindings for l are irrelevant, so 


((5 Us S")[l ~ di u4])(0 = (S Us 

= (S[l~d 1 Ud 2 \ U s S"){l'), 


as required. 

* V = 1: In this case, we have (( S U s S")[( i-> d\ U d' 2 ])(l) = d\ U d' 2 . 

We show that (S[l i-> d\ U d 2 ] Us S")(l) is also equal to d\ U d 2 , as follows: 

(S[l ~ di U d 2 ] U S S"){1) = (S[l w di U d 2 ])(l) U S"(l) 

= di U d 2 U S''(l) 

= d 1 uS(l)uS"(l) 

= d 1 uS(l)uS"(l) 

= d 1 U(Su s S")(l) 

= d\ U d 2 

Therefore we have that (S U s S''; put l {d-|}) c —♦ (S[l ^ d| U d 2 \ U s S'"; {}}, as required. 

• Case E-GetVal: 

Given: (S; get l Q } ■—+ (S; {di}}, and S U s S" ± T s . 

To show: (S U s S": get l Q) <■ —♦ (S U s S": {di}}. 

Since S(l) = d 2 (from the premises of E-GetVal), we know that (S Us S")(l) = d 2 , where d 2 C d' 2 . 

From the premises of E-GetVal, we also have that d-\ e Q and that d-\ C d 2 . Since d 2 C d' 2 , we have that 
d\ C d 2 . Therefore, by E-GetVal, we have that (SUsS"; get l Q) c —> (SUsS"; {di}}, as we were required 
to show. 

(Intuitively, get l Q is asking if the value of S(l) is at least the value of d-\. Once that is true, it will remain so 
under increasing S, since the value of S(l) can only increase as S increases.) 

• Case E-ConvertVal: 

Given: (S'; convert Q) c — k (S; S(Q)}, and S U s S" ^ T s . 

To show: (S U s S"; convert Q) 5 —> (S U s S"; S(Q)). 

Immediate by E-ConvertVal. 


□ 


A.4 Clash 

Lemma 4 (Clash). If (S; e ) c —> (S'; e') ( where (S'; e') f error), then for all S" such that S" is non-conflicting 
with (S; e) <; —* (S'; e') and S' Us S" = Ts: 

(S Us S"; e) ‘—» error. 

Proof. Consider arbitrary S" such that S" is non-conflicting with (S; e) e —> (S'; e') and S' Us S" Ts. To show: 
(S Us S"; e) <■—> error. 

The proof is by induction on the derivation of (S; e) i —> (S'; e'), by cases on the last rule in the derivation. Since 
(S'; e') ^ error, we only need to consider rules that step to non-error configurations. 

• CaseE-REFL: 

Given: (S; e) *—► (S; e) and S U s S" = T S - 
To show: (S U s S"; e) =—» error. 

Immediate by E-ReflErr since (Ts; e) = error. 
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Case E-ParApp: 

Given: (S; e\ e 2 ) c —* (S-[ Us S2; e'{ e 2 ), S" is non-conflicting with (S; ex 62) 6 —■* (S[ U5 S2; e'/’ e 2 ), and 
(S r 1 U s S 2 )U s S" = T s . 

To show: (S U s S"; ex e 2 ) c —» error. 

From the premises of E-ParApp, we have that (S; ex) 1 —► (Si; e(), (S; e2) c —> (S 2 ; e 2 ), and (S[; e\ r ) = 
rename((Si ; e' 1 ),S2,S). 

At least one of the following situations must occur: 

- Si U5 S" = T s . Then, by IH, (S U s S"; ei) c —> error. Therefore, by E-AppErr- 1, we have that 
(S U s S"; ex e 2 ) *—» error, as required. 

- S2 LI .s' S" = Tg. Then, by IH, (S Us S"; e 2 ) c — > error. Therefore, by E-AppErr- 2, we have that 
(S U s S"; ex e 2 ) c —♦ error, as required. 

- Si U S S" ± T s and S 2 U s S" ^ T s . 

In this case, since S 2 Us S" ^ Ts, we have that S 2 ± Ts. Therefore, since (S; ex) c —► (Si; e'x), by 
Lemma[2] we have that (S; ex) £ —> rename({S\\ e'^),S 2 ,S). Since (S[; ex') = rename({Si ; e' 1 ),S 2 ,S), 
we have that (S; ex) c —> (S[; e'{). 

We have from premises that S" is non-conflicting with (S; ex e 2 ) c —> (Sf Us S2; e , 1 r e 2 ), so, by Defini- 
tion[5] (dom(S[UsS 2 ) —dom(S))ndom(S") = 0. Therefore (dom(S[) — dom(S))r\dom(S'') = 0, and 
so S" is non-conflicting with (S; ex) *—* (S[; ex'). Likewise, ( dom(S 2 ) — dom(S )) fl dom(S") = 0, 
and so S" is non-conflicting with (S; e 2 ) c —» (S2; e 2 ). 

Therefore, by Lemma[3] we have that (S Us S"; ex) «—> (S[ Us S"; ef) and that (S Us S"; e2) ‘—> 
(S 2 U s S"; e 2 ). 

Since (SxUsS2)UsS" = Ts, we have that (SxUsS")Us(S2UsS ,/ ) = Ts. Therefore, by E-ParAppErr, 
we have that (S U s S"; e\ e 2 ) c —> error, as required. 

Case E-Put-1: 

Given: (S; put ex e 2 ) ‘—*> (Si; put e 2 ), and Si U s S" = T s . 

To show: (S U s S"; put ex e 2 ) e —> error. 

From the premise of E-Put-1, we have that (S; ex) =—> (Si; e'x). 

Since Si U s S" = by IH, we have that (S Us S"; ex) c —♦ error. 

Therefore, by E-PutErr-1 we have that (S Us S"; put ex e 2 ) =—> error, as required. 

Case E-Put-2: 

Given: (S; put ex e 2 ) =—* (S 2 ; put ex e 2 ), and S 2 Us S" = Ts. 

To show: (S U s S"; put ex e 2 ) ‘—* error. 

From the premise of E-Put-2, we have that (S; e 2 ) =—> (S2; e 2 ). 

Since S 2 U s S" = Is, by IH, we have that (S Us S"; e 2 ) 1 —> error. 

Therefore, by E-PutErr- 2 we have that (S Us S"; put ex e 2 ) =—> error, as required. 

Case E-Get- l: Analogous to E-Put- 1. 

Case E-Get-2: Analogous to E-Put-2. 

Case E-Convert: 

Given: (S; convert e) =—> (S'; convert e') and S' U. s S" = Ts- 
To show: (S Us S"; convert e)«—» error. 

From the premise of E-Convert, we have that (S; e) *—> (S'; e'). 
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Since S' Us S" = Ts, by IH, we have that (S Us S": e) 5 —* error. 

Therefore, by E-ConvertErr we have that (S U s S"; convert e) *—*■ error, as required. 

Case E-Beta: 

Given: (S; (Ax. e) v) «•—♦ (S; e[x := w]) and S Us S" = Ts. 

To show: (S Ug S"; (Ax. e) v) *—> error. 

Immediate by E-ReflErr since (Ts; (Ax. e) v) = error. 

Case E-New: 

Given: (S; new) c —> (S[l T]; l) (where l £ dom(S)), S" is non-conflicting with (S; new) c —► (S[l h-> 
...]: 1), and S[l _L] U s S" = Tg. 

To show: (S U s S"; new) 1 —> error. 

By E-New, (S Ug S"; new) =—> ((S Ug S")[(' _L]; l'), where V £ dom(S Ug S"). One of the following 

two possibilities must hold: 

- V = 1. 

In this case, we immediately have that (S Ug S"; new) '—> ((S Ug S")[l i-> JL]; l). 

- V ± l. 

In this case, we apply Lemma[l]to (S Ug S"; new) '—* (( S Ug S")[l 1 _L]; V) and {/'}. Therefore, for 

all l" such that l" £ dom((S Ug S")[l' i-> T]), 

(S Ug S"; new) (S oldlocs [l" » ((S Ug S")[l‘ ~ ±]){l% V[V := l"}) 

= {SoUUoc S [l"^M\l M ), 

where S 0 uiocs is defined as follows: dom(S 0 i d i ocs ) = dom(S Ug S"), and for all l G dorn{S M i ocs ), 
SoUUocs(l) = ((SU S S ,t W^Mm- 

Note that since l' £ dom(S Ug S"), S 0 idi ocs {l) = (S Ug S")(l) for all l G dom{S 0 im ocs )- Therefore, since 
dom(S 0 idiocs) = dom(S Ug S") and S 0 i d i 0cs (l) = (S Ug S")(l) for all l G dom(S 0 i dlocs ), the conditions of 
Definition [9] are satisfied, and S 0 i d i 0cs = S Ug S". 

Therefore, we have that for all l" such that l" £ dom((S Ug S") [l 1 1—-L]), 

(S Ug S"; new) ((SU s S")[l" ^ T]; I"). 

Instantiate the above with l. Since S" is non-conflicting with ( S ; new) 5 —► (S[l i—> T]; l), we know that 
l £ dom(S"), and we have from the side condition of E-New that l £ dom(S). Therefore l £ dom(S Ug 
S'"), and since l ^ l 1 , we have that l ^ dom((S Ug S") [V t-# i-]). Therefore, ( S Ug S'"; new) c —> ((SUg 

S")[z~xb 0- 

So, regardless of whether l' = l or l' ^ l, we can conclude (S Ug S"; new) c —> ((S Ug S")[Z n* T]; l). Then, 
since S" is non-conflicting with (S; new) c —> (S[l t —> J_]; l), we have that l ^ dom(S"), and we have from 
the side condition of E-New that l £ dorn(S). Therefore, we have: 

(S Ug S")[Z h* Afm S[l ^ T] Ug S"[l ^ J_j 

= S Ug [l i—► 1] Ug S" Ug [l i ► T] 

= S Us [Z i— > L] Ug S" 

= S[l i ► ±] Us S" 

Tg. 

Therefore, since (Tg; Z) = error, we have that (S Ug S"; new) c —> error, as we were required to show. 
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• Case E-PutVal: 


Given: (S; put l {di}) » (S[l i—► U d 2 ]; {}) and S[l i-> di U d 2 ] U s S" = T s . 

To show: (S Us S"; put l {di}} c —> error. 

One of the following must be the case: 

- S Ug S" = Tg. In this case, the proof is immediate by E-ReflErr, since (T s : put l {dj }) = error. 

- S Us S" f T§. In this case, we proceed as follows: 

Since S(Z) = d 2 (from the premises of E-PutVal), we know that (S Us = d',, where d 2 C d 2 . 

We show that d\ U d' 2 = T, as follows: 

* Since S[l 1—> d\ U d 2 \ Us S" = we know that there exists some l' £ dom(S[l i—> d\ U d 2 ]) ft 
dom(S") such that ( S[l i-> di U d 2 ])(l') U S"(l') = T. 

* If V ^ l, then (S[l d\ U d 2 ])(l') would be equal to because the binding for l would be 
irrelevant. We would then have (S[l ^ d-[ U d 2 ])(l') U S"(l r ) = S{V) U S"(V) = T, a contradiction 
since S' Us S'" 7^ Ts. Therefore it must be the case that V = l, so we have that (S[l i-> d\ U d 2 ])(l) U 
S"{1) = T. 

* Therefore, we have: 

T = (S[l di U d 2 ])(l) U S"(l) 

= di 11 d 2 IJ S"(?) 

= diUS(Z)uS"(0 
= diUS(Z)uS"(() 

= diU(SUsS")(0 

= di U d' 2 

Therefore, since (SUsS")(Z) = d' 2 and d\Ud' 2 = T,byE-PuTVALERRwehavethat(SUsS"; put / {d-|}) '—> 
error, as required. 

• Case E-GetVal: 

Given: (S; get l Q) ^ (S; {di}> and S U s S" = T s . 

To show: (S U s S"; get / Q) c —> error. 

Immediate by E-ReflErr since (Ts; get / Q) = error. 

• Case E-ConvertVal: 

Given: (S; convert Q) «—* (S; 6 (Q)) and S U s S" = T s . 

To show: (S Us S"; convert Q) 5 —> error. 

Immediate by E-ReflErr since (Ts; convert Q) = error. 


(since (S[Z di U d 2 ])(Z) = d\ U d 2 ) 
(since S(Z) = d 2 ) 


□ 


A.5 Error Preservation 

lemma 5 (Error Preservation). If (S; e) =—> error and S T s S', then (S'; e) 5 —> error. 

Proof. Let S S' and proceed by induction on the derivation of (S; e) e —» error. We only need to consider the 
reduction rules that step to error. 
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Case E-AppErr-1: 

Given: (S; ei e 2 ) c —* error. 

To show: (S'; e\ e 2 ) ‘—» error. 

From the premise of E-AppErr-1 we have that (S; ei) c —> error. Since S Qs S', we have by the induction 
hypothesis that (S'-, e\) *—* error. Therefore, by E-AppErr-1, we have that (S': ei e 2 ) c —> error, as 
required. 

Case E-AppErr- 2: Analogous to E-AppErr-1. 

Case E-ParAppErr: 

(NB: For simplicity, we elide renaming throughout this case and assume that configurations can be renamed to 
meet non-conflicting requirements.) 

Given: (S; ex e 2 ) 1 —» error. 

To show: (S'-, ex e 2 ) c —> error. 

From the premises of E-ParAppErr, we have that: 

- (5; ex) —* (Si; 

- (S-, e 2 ) «■—* (Sst; e 2 ), and 

- Si U s S 2 = T s . 

At least one of the following situations must occur: 

- Si U s S' = T s . 

In this case, since (S; ex) c —> (Si; e(), and Si Us S' = T9, we have from Lemma [4] that (S Llg 
S'; ei) c —> error. Since S T s S', S Llg S' = S', so we have that (S'; ei) c —> error. Therefore, by 
E-AppErr-1, we have that (S'; ei e 2 ) c —> error, as required. 

- S 2 LI5 S' = T s . 

In this case, since (S; e 2 ) c —> (S 2 ; e 2 ), and S 2 Us S' = Ts, we have from Lemma [4] that (S Us 
S'; e 2 ) c —> error. Since S T s S', S U s S' = S', so we have that (S'; e 2 ) «—*• error. Therefore, by 
E-AppErr-2, we have that (S'; ei e 2 ) c —> error, as required. 

- Si Us S' 7^ Ts and S 2 Us S' 7^ Ts. 

In this case, since (S; ei) c —> (Si; e'x) and SiUsS' 7^ Is, we have from Lemma[3]that (SUsS'; ei) =—> 
(Si Us S'; e'x). Likewise, since (S; e 2 ) c —* (S 2 ; e 2 ) and S 2 Us S' 7^ Ts, we have from Lemma[3]that 
(S U s S'; e 2 ) =—* (S 2 U s S'; e 2 ). 

Since S S', S Us S' = S', so we have that (S'; ei) ‘—>• (Si U s S'; e^) and (S'; e 2 ) c —> (S 2 U s 
5'; e'). 

Since Si U s S 2 = Ts, we have that Si U s S' U s S 2 U s S' = T s . Therefore, by E-ParAppErr, we have 
that (S'; ei e 2 ) c —> error, as desired. 

Case E-PutErr- 1: Analogous to E-AppErr- 1. 

Case E-PutErr- 2: Analogous to E-AppErr-1. 

Case E-GetErr- 1: Analogous to E-AppErr-1. 

Case E-GetErr- 2: Analogous to E-AppErr-1. 

Case E-ConvertErr: 

Given: (S; convert e) *■—• error. 

To show: (S'; convert e) c —* error. 
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From the premise of E-ConvertErr we have that (S; e) e —> error. Since S S', we have by the induction 
hypothesis that (S'-, e) e —» error. Therefore, by E-ConvertErr, we have that (S'; convert e) e —» error, as 
required. 

Case E-PutValErr: 

Given: (S; put? {c?i}} '—■> error. 

To show: (S'; put ? {c?i}} *—> error. 

Since S(l ) = d 2 (from the first premise of E-PutValErr), we know that S'(l) = d' 2 , where d 2 C d 2 . Since 
diUd 2 = T, we have that dk U d 2 = T. Therefore, by E-PutValErr, (S'; put? [d \}) '—» error, as required. 

□ 


A.6 Diamond 

Lemma 6 (Diamond). If a s—> o a and a e —» cr b , then there exists cr c such that either: 

• a a 1 —» cr c and <Jb c —* o c , or 

• there exists a safe renaming o' b of Ub with respect to o c —> crb, such that <j a c —> o c and o ' b '—» a c . 

Proof By induction on the derivation of <r «—> a a , by cases on the last rule in the derivation. For all cases except the 
E-New case, we prove the first disjunct; in the E-New case, we prove the second disjunct. 

Where necessary, we use a “left/right” naming convention for subcases of the proof. For instance, the subcase 
E-ParApp/E-Refl is the case where the last rule in the derivation of o c —> o a (the “left” side of the diamond) is 
E-ParApp and the last rule in the derivation of a *—» cp, (the “right” side of the diamond) is E-Refl. 

A.6.1 E-Refl 

• E-Refl: ct = (S; e), and o a = (S; e). 

Given: 

- (S; e) > (S; e), and 

- (5; e) o b . 

To show: There exists a c such that 

- (S; e) 5 —*■ o c , and 

- a b <■—* cr c . 

For all subcases E-Refl/*, choose cr c = a b . 

To show: 

- (S'; e) c —» a b , which is immediate from our assumptions, above, and 

- o b 1 —* a b , which follows from either E-Refl or E-ReflErr. 

A.6.2 E-ParApp 

• E-ParApp: a = (S; ei e 2 ), and o a = (S\ U5 S 2 ; e\ e 2 ). 

(NB: For simplicity, we elide renaming throughout this case and assume that configurations can be renamed to 
meet non-conflicting requirements.) 

Given: 
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- (S; e\ e 2 ) c —» {Si U s S 2 ; e! x e 2 ), and 

- (S; e x e 2 ) «—* a b . 


To show: There exists a c such that 

- (Si Us S 2 ; e\ e^) c —> u c , and 

0"b c ► CT c . 

From the premises of E-ParApp, we have the following facts: 

- (5; ex) — (Sv, «i); 

- (S'; e 2 ) ‘—* (S 2 ; 4); and 

- S x Us S 2 + Ts. 

We proceed by subcases, on the last rule in the derivation of (S; e-| e 2 ) c —> a b . By the operational semantics, 
there are six possibilities: E-ParApp/E-Refl, E-ParApp/E-ParApp, E-ParApp/E-Beta, E-ParApp/E- 
AppErr-1, E-ParApp/E-AppErr- 2, and E-ParApp/E-ParAppErr. 

- E-ParApp/E-Refl: 

Analogous to the E-Refl/E-ParApp case, with <r a and a b reversed. 

- E-ParApp/E-ParApp: 

In this case, we have the following facts: 

* a b = (S bl Us S&2; e bl e b2 ), 

* (S ; ei) =—* (S bl \ e bl ), 

* (S; e 2 ) <—* (Sb 2 ; e& 2 ), and 

* S bl U S S b2 ± Ts. 

Since (S; e-y) e —> (Si; e\) and (S; e x ) c —> (S bl \ e bx ) (from above), we have by IH that there exists 
<r Cl such that (Si; e\) c —> a Cl and (S bl ; e bl ) c —> a Cl . Either a Cl is error, or it is some non-error 
configuration (S Cl ; e Cl ). 

Similarly, since (S'; e 2 ) c —> (S 2 ; e 2 ) and (S; e 2 ) c —* (S b2 ; e b2 ), we have by IH that there exists cr C2 such 
that (S 2 ; e' 2 ) c —> a C2 and (S& 2 ; e b , 2 ) =—> u C2 . Either cr C2 is error, or it is some non-error configuration 

(S C2 ;e C2 ). 

We’re required to show that there exists a c such that 

* (Si Us S 2 ; e'x e' 2 ) -—* a,., and 

* (Sbl L1 S' ^62 1 e bi e b 2 ) c - * &C- 

We consider possibihties [T] [2] and [3] at least one of which must hold. We will show that in|TJ [2] [3a] [3b] 
and[3c] a c = error, and in|3d| a c = (S Cl Us S C2 ; e Cl e C2 ). 

1. fj Cl = error. 

Then, since (Si; e\) <—» error, we have by E-AppErr-1 that (Si; e( e' 2 ) c —» error. Then, by 
Lemma [5] (Si Lis S 2 ; e' x e 2 ) c —* error. Likewise, since (S bl ; e bl ) c —> error, we have by E- 
AppErr- 1 that (S bx ! e &, e b 2 ) ‘—» error, and again by Lemma|5] we have that (S^UgS^; e bl e b2 ) r — 
error. Therefore a c = error. 

2. cr C2 = error. 

An argument analogous to the above applies, this time appealing to E-AppErr- 2. Therefore a c = 

error. 

3 . cr Cl ^ error and a C2 ^ error. 

Then a Cl = (S Cl ; e Cl ), and c C2 = (S C2 ; e C2 ). 

At least one of the following four possibilities must hold: 
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error. 


(a) S Cl Us S 2 = Ts. 

Then, since (Si; e[) c —> (S Cl ; e Cl ), by Lemma|4]we have that (Si Us S 2 ; e\ ) 

Therefore, by E-AppErr-1, (Si Us S2; e( e 2 ) c —> error. 

Next, we show that (S bl Us S b , 2 : e bl e b2 } must step to error, as well. At least one of the following 
three possibilities must hold: 

i. S Cl Us S b2 = T S . 

Then, since ( S bl ; e bl ) e —> (S Cl ; e Cl ), by Lemma|4]we have that (S bl UsSb 2 ; e bl ) c — terror. 
Therefore, by E-AppErr-1, (S bl Us Sb 2 ; e bl e b2 ) <—* error. 

ii. S bl U s S C2 mlg. 

Then, since (S b2 : e b , 2 ) '—» (S C2 ; e C2 ), by Lemma^Jwe have that (S bl U s S b2 : e& 2 ) c —> error. 
Therefore, by E-AppErr-2, (S bl U s S b2 , e bl e b2 ) c —» error, 
hi. S Cl Us S b2 ± Ts and S bl U g S C2 + T s . 

Then, since (S bl ; e bl ) c —> (S Cl ; e Cl ) and (S b2 : e b2 ) c —> (S C2 ; e C2 }, we have by Lemma [5] 
that (S bl Us S b2 ; e^} c —> (S C1 Us Sb 2 i e Cl ) and (Sbi Us S b2 ; e b2 ) c —> (S bl Us S c 2 ; e C2 ). 
But since S Cl Us 52 = Ts, we have that S Cl Us S C2 = Ts, since S 2 Ts S C2 . 

And since S Cl Us S C2 = Ts, we have that: 

(S Cl Us S b2 ) Us (S bl Us S C2 ) = S ct Us S C2 U s S bl U s S b2 
= Ts Us S bl Us S b2 
= T S , 

Therefore, E-ParAppErr applies, and (S bl Us S b2 : e bl e b2 ) c —> error. 

Therefore, in this case, <j c = error. 

(b) Si Us S C2 = T S . 

Then, since (S2; e 2 ) c —> (S C2 : e C2 ), by Lemma [4] we have that (Si Us S2; e 2 ) c —* error. 
Therefore, by E-AppErr-2, (Si Us S 2 ; e( e 2 ) c —> error. 

Next, we show that (S bl Us S b , 2 : e bl e b2 } must step to error, as well. At least one of the following 
three possibilities must hold: 

i. S Cl Us S b2 = T S . 

Then (S bl Us S b2 : e bl e b2 ) c —* error by the same argument as |3(a)i| 

ii. S bl U S S C2 m T s . 

Then (S bl Us S b2 ; e bl e b2 ) c —> error by the same argument as [300Ul 
hi. S Cl Us S b2 ± Ts and S bl U g S C2 ^ T s . 

Then the argument of |3(a)iii| applies, with the modification that, since Si Us S C2 = Ts, we 
have that S Cl U s S C2 = T s , since ,ST Ts S Cl . 

So, (S bl Us 5b 2 ; e bl e b2 ) <■—► error. 

Therefore, in this case, <r c = error. 

(c) S Ci Us S 2 ± Ts, Si Us S C2 + Ts, and (S C1 U s S 2 ) Us (Si U s S C2 ) - % 

Then, since (ST; e\) <-—> (S Cl ; e Cl ) and (S2; e/ 2 ) 1 —* (S C2 ; e C2 ), we have by Lemma[3]that 
(Si Us S 2 ; eT) 1 —> (S^ u s S 2 ; e Cl ) and (Si U s S 2 ; e’ 2 ) 1 —*• (Si U s S C2 ; e C2 ). But since 
(S Cl Us S 2 ) Us (Si Us S C2 ) = T s , we have by E-ParAppErr that (Si U s S 2 ; e\ e 2 ) e —► error. 
Next, we show that (S bl Us S b2 ; e bl e b2 } must step to error, as well. At least one of the following 
three possibihties must hold: 

i. S C t S b2 - T S . 

Then (S bl U s S b2 ; e bl e b2 ) c —> error by the same argument as |3(a)i| 

ii. S bl Us S C2 = Ts. 

Then (S bl Us Sb 2 ; e bl e b2 ) c —<• error by the same argument as |3(a)ii| 
hi. Set Us S b2 7^ Ts and S bl Us S C2 ^ T s . 

Then the argument of |3(a)iii| applies, with the modification that, since (S Cl Us S 2 ) Us (Si Us 
S C2 ) = Ts, we have that S Cl Us S C2 = Ts, since Si Ts S Cl and S2 Ts S C2 . 

So, (S bl Us Sb 2 ; e bl e b2 ) <■—> error. 
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Therefore, in this case, <r c = error. 

(d) S Cl Us S 2 ± Ts, Si Us S C2 ± Ts, and (S Cl U s S 2 ) Us (Si U s S C J + T s . 

Then, since (Si; e\) c —> (S Cl ; e Cl ) and (S2; e 2 ) c —> (S C2 ; e C2 ), we have by Lemma|3]that 
(Si Us S 2 ; e' x ) '—* (S Cl U s S 2 ; e Cl ) and (Si U s S 2 ; 4) <■—* (Si U s S C2 ; e C2 ). 

So, by E-ParApp, we have that (Si Us S 2 ; e 2 ) c —* ((S Cl Us S 2 ) Us (Si Us S C2 ); e Cl e C2 ). 

Since Si S Cl and S 2 C s S C2 , we can simplify (S Cl U s S 2 ) U s (Si U s S C2 ) to S Cl U s S C2 , so 
we have that S Cl U s S C2 7^ T s , and (Si U s S 2 ; e'j e 2 ) c —» (S Cl U s S C2 ; e Cl e C2 ). 

Next, we show that {S bl Us Sb 2 ; 65, eb 2 ) must step to (S Cl Us S C2 ; e ci e C2 ), as well. At least one 
of the following possibilities must hold: 

i. S C1 Us S b2 = T s . 

Can’t happen, because if it were true, we would have S Cl Us S C2 = Ts (since S b2 Es S C2 ), 
which would contradict S Cl Us S C2 7^ Ts, above. 

ii. S 6l U S S C2 = Tg. 

Can’t happen, because if it were true, we would have S Cl Us S C2 = Ts (since S bl T s S Cl ), 
which would contradict S Cl Us S C2 7^ Ts, above. 

iii. S Cl U s S b2 7^ Ts and S bl U s S C2 7^ T s . 

Then, since ( S bl ; ) c —*■ (§ Cl ; e Cl ) and (Sb 2 ; eb 2 ) 1 —> (S C2 ; e C2 ), we have by Lemma [5] 

that (S b j. Us -S'ba; e bl ) c —> (S C i Us Sb 2 ; e Cl ) and (Sb 2 Us <S& 2 ; eb 2 ) c —> (S bl Us S C2 ; e C2 ). 
Then, since S Cl Us S C2 7^ Ts and S bl Cs S Cl and S b2 Cg S C2 , we have that (S Cl Us S b , z ) Us 
(S’b, Us S C2 ) 7^ Ts. Therefore, E-ParApp applies, and we have that (S bl Us S b2 ; e bl e b2 ) c —> 
((S Cl U s SbJ) Us (S 6l Us S c J; e Cl e C2 ). Since (S Cl U s S 6 J U s (S 6l U s S C2 ) simphfies to 
S CJ U s S C2 , we have that (S bl U s S b2 ; e bl e b2 ) 5 —* (S C1 U g S C2 ; e Cl e C2 ). 

Therefore, in this case, a c = (S Cl Us S C2 ; e ci e C2 ). 

- E-ParApp/E-Beta: 

In this case, we have the following facts: 

* ( S ; ei e 2 ) = ( S ; A®, eu u) for some eu and some value v; and 

* a b = (S; en [x := u]}. 

We’re required to show that there exists a c such that 

* {Si Us S 2 ; e' 2 ) «■—» a c , and 

* {S; en[x := u]) *—» a c . 

Choose <r c = (S; eu[x := u]). We have from E-Refl that (S; en[x := u]) c —*• (S; en[x := t>]), so it 
remains to show that {Si Us S 2 ; e\ e 2 ) c —> (S; en [x := w]). 

From the premises of E-ParApp, we have that (S; ei) c —> (Si ; e\) and (S; e 2 ) 5 —> (S 2 ; e 2 ). But 
ei = Ax. en, a value, and e 2 = v, a value. So it must be the case that ei = e\, e 2 = e 2 , and S = Si = S 2 . 
Therefore, (Si Us S 2 ; e[ e' 2 ) = (S; Ax. en v), so we have only to show that (S; ei e 2 ) e —> (S; en[x := 
u]), which is immediate by E-Beta. 

- E-ParApp/E-AppErr- 1: 

In this case, we have the following facts: 

* a b = error; 

* (S; ei) 0 —> error (from the premise of E-AppErr-1). 

We’re required to show that there exists a c such that 

* (Si U s S 2 ; e\ e 2 ) <■—> cr c , and 

* error <—* cr c . 

Choose (t c = error. We have immediately that error c —» error by E-ReflErr, so it remains to show 
that (Si Us S 2 ; e 2 ) c —*• error. 
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Since (S; ex) 5 —» error and (S; ex) c —► (Si; e\ ) (from the premises of E-ParApp, above), we have by 
IH that there exists cr Cl such that error c —> <j Cl and (Si] e' x ) <—> a Cl . Since error can only step to error, 
a Cl = error. 

Therefore, (Si] e'x) «—> error, so we have that (Si] e'x e' 2 ) c —> error by E-AppErr-1, and therefore 
(Si Ug S 2 ; e'x e 2 ) c —» error by Lemma [5] as we were required to show. 

- E-ParApp/E-AppErr-2: 

In this case, we have the following facts: 

* cr b = error; 

* (S] e 2 ) c —> error (from the premise of E-AppErr-2). 

We’re required to show that there exists a c such that 

* (Si U s S 2 ; e'x e 2 ) <■—> cr c , and 

* error c —> a c . 

Choose u c = error. We have immediately that error =—> error by E-ReflErr, so it remains to show 
that (Si U<? S 2 ; e'x e' 2 ) e —» error. 

Since (S] e 2 ) =—> error and (S] e 2 ) 1 —» (S 2 ; e 2 ) (from the premises of E-ParApp, above), we have by 
IH that there exists a C2 such that error 5 —► a C2 and (S 2 ] e 2 ) c —> a C2 . Since error can only step to error, 
a C2 = error. 

Therefore, (S 2 ; e 2 ) «—» error, so we have that (S 2 ] e'x e 2 ) c —> error by E-AppErr-2, and therefore 
(Si Us S 2 ] e'x e 2 ) c —* error by Lemma|5] as we were required to show. 

- E-ParApp/E-ParAppErr: 

In this case, we have the following facts: 

* cTb = error; 

* (S; ex) =—» (5b 1 ; e bl ) for some S bl and e bl (from the first premise of E-ParAppErr); 

* (S] e 2 ) «—» (S b2 : e b , 2 ) for some S b2 and e b2 (from the second premise of E-ParAppErr); 

* S bl Us S b2 = Ts (from the third premise of E-ParAppErr). 

We’re required to show that there exists cr c such that 

* (Si U s S 2 ; e'x e 2 ) c —> cr c , and 

* error c —> u c . 

Choose u c = error. We have immediately that error =—> error by E-ReflErr, so it remains to show 
that (Si Us S 2 ; e'x e 2 ) '—» error. 

Since (S] e x ) c —> (Si] e\) (from the first premise of E-ParApp) and ( S ; ex) c —» (S bl ; e bl ), and since 
(S] e 2 ) c —> (S 2 ] e', 2 ) (fromthesecondpremiseofE-PARApp)and(S'; e 2 ) c —> (S b2 , e b2 ), we have by IH 
that there exist <r Cl and a C2 such that (Si] e\) e —> a Cl and (S bl ] e bl ) 1 —> cr Cl , and that (S 2 ] e' 2 ) c —*■ a C2 
and (S b2 \ e b2 ) *—> a C2 . 

We consider the following possibilities, at least one of which must hold: 

* cr Cl = error. 

In this case, since (Si] e'x) c —> error, we have by E-AppErr-1 that (5x; e'x e 2 ) c —> error. There¬ 
fore, by Lemma[5] we have that (Si Us S 2 ] e\ e 2 ) c —> error, as we were required to show. 

* cr C2 = error. 

In this case, since (S 2 ] e 2 ) c —» error, we have by E-AppErr-2 that (S 2 ] e'x e 2 ) 0 —» error. There¬ 
fore, by Lemma[5] we have that (Si Us S 2 ; e'x e 2 ) 1 —» error, as we were required to show. 

* cr Cl = (S Cl ; e Cl ) error and a C2 = (S C2 ; e C2 ) ^ error. 

In this case, at least one of the following three possibilities must hold: 

1. S C1 Us S 2 = Ts. 

Since (Si; e'x) c —> (S Cl ; e Cl ) andS Cl UsS 2 = Ts, we have by Lemma|4]that (SxUsS 2 ; e'x) c —> 
error. Therefore, by E-AppErr-1, (Si Us S 2 ; e'x e 2 ) c —» error, as we were required to show. 
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2. Si U S S C2 = T S . 

Since (S 2 ; e 2 ) c —* (S C2 : e c , 2 ) and Si\J$S C2 = Ts, we have by Lemma[4]that (Sj UgS 2 ; e' 2 ) e —> 
error. Therefore, by E-AppErr-2, {Si Us S 2 \ e\ e 2 ) c — ► error, as we were required to show. 

3. S Cl Us S 2 7^ Ts and Si Us S C2 ^ Ts. 

In this case, since {Si; e\) c —fc (S Cl ; e Cl ) and S c , Us S 2 ^ Ts, we have by Lemma [5] that 
{Si u s S 2 ; e' x ) ‘—>• ( S C1 Us S 2 ; e Cl ). 

Likewise, since (S3; e 2 ) c —> (S C2 : e C2 ) and Si Us S C2 ^ Ts, we have by Lemma[3]that (Si Us 
S 2 ; e! 2 ) -- {Si U s S C2 ; e C2 ). 

But since S&, S C1 and Sf )2 Cg S C2 and Sbj Us Sb 2 Ts, it must be the case that S Cl Us 
S C2 «:Ts. Therefore we have that 

(S Cl U s S 2 ) U s (Si Us S C2 ) = S C1 U s S C2 = Ts. So, by E-ParAppErr, (Si U s S 2 ; e' x e^) c —» 
error, as we were required to show. 

A.6.3 E-Put-1 

E-Put-1: a = (S; put ei e 2 ), and cr a = (Si; put e\ e 2 ). 

Given: 

- (S; put ei e 2 ) ■«—*■ (Si; put e! x e 2 ), and 

- (S; put ei e 2 ) <-—» a b . 

To show: There exists a c such that 

- (Si; put e' x e 2 ) c —>• cr c , and 

(Jfr c > d c . 

From the premise of E-Put-1, we have that (S; ei) 5 —> (Si; e\). 

We proceed by subcases, on the last rule in the derivation of (S; put ei e 2 ) =—> a b . By the operational 
semantics, there are seven possibilities: E-Put- 1/E-Refl, E-Put-1/E-Put-1, E-Put-I/E-Put-2, E-Put- 
1/E-PutVal, E-Put-1/E-PutErr-1, E-Put-1/E-PutErr- 2, and E-Put-1/E-PutValErr. 

- E-Put- 1/E-Refl: 

Analogous to the E-Refl/E-Put- 1 case, with a a and a b reversed. 

- E-Put-1/E-Put-1: 

In this case, we have the following facts: 

* cr b = (S bl ; put e bl e 2 ), and 

* (S; ei) «—* ( S bl ; e 6l ). 

Since (S; ei) «—> (Si; e\) and (S; ei) c —> (S bl ; e bl ), we have by IH that there exists a Cl such that 
(Si; e\) =—> a Cl and ( S bl ; e bl ) c —> a Cl . Either cr ci is error, or it is some non-error configuration 

(S C1 ; e Cl ). 

We’re required to show that there exists a c such that 

* (Si; put e( e 2 ) 1 —* a c , and 

* (S 6l ; put e bl e 2 ) *■—> a c . 

We consider the following possibilities, one of which must hold. 

1. <7 Cl = error. 

Then, since (Si; e' x ) *—» error, we have by E-PutErr- 1 that (Si; put e x e 2 ) *—» error. Likewise, 
since ( S bl ; e bl ) c —> error, we have by E-PutErr- 1 that {S bl \ put e bl e 2 ) c —» error. Therefore 
t j c = error. 
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Then, since (Si; e' x ) c —> (S Cl ; e ci ), we have by E-Put- 1 that (Si; putei e2) c —» (S Cl ; pute Cl e2). 
Likewise, since (Sb x ; e^) c —(S Cl ; e Cl ), we have by E-Put- 1 that (S^; puteb! e2) c —> (S Cl ; pute 0l e 2 ). 
Therefore a c = (S Cl ; put e Cl e 2 ). 

E-Put- I/E-Put-2: 

(NB: In this case we assume that configurations are renamed as necessary to meet non-conflicting require¬ 
ments.) 

In this case, we have the following facts: 

* <Jb= (Sb 2 ', put ei eb 2 ), and 

* (S; e 2 ) 1 —* (Sb 2 ; e b2 ). 

We’re required to show that there exists a c such that 

* (Si; put e! x e 2 ) «—> cr c , and 

* (Sb 2 ; put ei e 62 ) c —> a c . 

We consider the following two possibilities, one of which must hold: 

1. Si U S Sb 2 = T S . 

Since (S; e 2 ) c —> (Sb 2 ; eb 2 ) (from above), and since Si Us Sb 2 = Sb 2 Us Si = Ts, we have by 
Lemma|4]that (S U s Si; e 2 ) c —* error. 

Since S Ts Si, we have that Su s S x = Si, so (Si; e 2 ) '—> error. 

Therefore, by E-PutErr-2, (Si; put e\ e 2 ) c —> error. 

Similarly, since (S; ei) 1 —» (Si; e() (from the premise of E-Put-1), and since Si Us Sb 2 = Ts, we 
have by Lemma[4]that (S Us Sb 2 ; ei) c —* error. 

Since S Ts Sb 2 , we have that S U s S b2 = Sb 2 , so (Sb 2 ; ei) «—» error. 

Therefore, by E-PutErr-1, (Sb 2 ; put ei eb 2 ) '—* error. 

Therefore a c = error. 

2. Si U S Sb 2 + T S . 

Since (S; e 2 ) c —* (Sb 2 ; eb 2 ) (from above), and since Si Us Sb 2 = Sb 2 Us Si 7^ Ts, we have by 
Lemma [ 5 ] that (S U s S t ; e 2 ) 1 —> (S &2 U g Si; e b2 ). 

Since S Ts Si, we have that S U s Si = Si, so (Si; e 2 ) ‘—* (Sb 2 U s Si; eb 2 ). 

Therefore, by E-Put-2 , (Si; put ei e 2 ) c —* (Sb 2 U s Si; put ei e b2 ). 

Similarly, since (S; ei) 1 —> (Si; ei) (from the premise of E-Put-1), and since Si Us Sb 2 7^ Ts, we 
have by Lemma[3]that (S U s Sb 2 ; ei) 5 —> (Si U s S h . 2 ; ei). 

Since S Ts Sb 2 , we have that S U s S b2 = Sb 2 , so (Sb 2 ; ei) «—> (Si U s Sb 2 ; ei). 

Therefore, by E-Put-1 , (Sb 2 ; put ei eb 2 ) 1 —* (Si Us Sb 2 ; put ei eb 2 ). 

Therefore cr c = (Si Us Sb 2 ; put ei eb 2 ). 

E-Put-1/E-Put Val: 

In this case, we have the following facts: 

* (S; put ei e 2 ) = (S; put l {rfi}), 

* <Jb= (S[Z d x U d 2 ]; {}), and 

* S(Z) = d 2 A d] G D A d] U d 2 / T (from the premises of E-PutVal). 

We’re required to show that there exists cr c such that 

* (Si; put ei e 2 ) 0 —> u c , and 

* (S[(^diUd 2 ] ; {})^a c . 

Choose cr c = (S[Z di U d 2 ]; {}). We have from E-Refl that (S[l i-> di U d 2 ]; {}) £ —* (S[l ^ d x U 
d 2 ]; {}), so it remains to show that (Si; put ei e 2 ) c —>• (S[l i-> di U d 2 ]; {}). 

From the premise of E-Put-1, we have that (S; ei) 1 —* (Si; ei). But ei = l, a value, so it must be the 
case that ei = ei and S = Si. Therefore, (Si; put ei e 2 ) = (S; put ei e 2 ). Further, since ei = l and 
e 2 = {di}, (Si; put ei e 2 ) = (S; put l {di}). So we have only to show that (S; put l {di}) ‘—> (S[l h-> 
di U d 2 ]; {}), which is immediate by E-PutVal, since all of the premises hold. 
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- E-Put- 1/E-PutErr-1: 

In this case, we have the following facts: 

* <Tb = error, and 

* (S; ei) c —» error (from the premise of E-PutErr-1). 

We’re required to show that there exists a c such that 

* (Si; put e! x e 2 ) 1 —* a c , and 

* error <—> a c . 

Choose (t c = error. We have immediately that error e —> error by E-ReflErr, so it remains to show 
that (Si; put ei e 2 ) £ —► error. 

Since (S; ei) *—> error and (S; ei) '—* (Si; e' x ) (from the premise of E-Put- 1, above), we have by IH 
that there exists cr Cl such that error c —> cr Cl and (Si; e' x ) c —> cr Cl . Since error can only step to error, 
cr Cl = error. 

Therefore, (Si; e() c —> error, so we have that (Si; put e[ e 2 ) 5 —* error by E-PutErr-1, as we were 
required to show. 

- E-Put-1/E-PutErr-2: 

In this case, we have the following facts: 

* <Jb = error, and 

* (S; e 2 ) '—* error (from the premise of E-PutErr-2). 

We’re required to show that there exists a c such that 

* (Si; put ei e 2 ) 1 —* a c , and 

* error c —> o c . 

Choose (j c = error. We have immediately that error e —> error by E-ReflErr, so it remains to show 
that (Si; put e[ e 2 ) «■—» error. 

Since (S; e 2 ) =—> error, we have by E-PutErr-2 that (S; put ei e 2 ) =—» error. So, since S Si, we 
have by Lemma[5]that (Si; put ei e 2 ) c —> error, as we were required to show. 

- E-Put-1/E-PutValErr: 

In this case, we have the following facts: 

* (S; put ei e 2 ) = (S; put!{di }), 

* <Jb = error, and 

* S(l) = d 2 A di G D A d\ U d 2 = T (from the premises of E-PutValErr). 

We’re required to show that there exists <j c such that 

* (Si; put ei e 2 ) 1 —> cr c , and 

* error'—> o c . 

Choose a c = error. We have from E-Refl-Err that error c —> error, so it remains to show that 

(Si; put e( e 2 ) 1 —> error. 

From the premise of E-Put-1, we have that (S; ei) c —» (Si; ei). But e\ = /, a value, so it must be the 
case that ei = ei and S = Si. Therefore, (Si; put ei e 2 ) = (S; put ei e 2 ). Further, since ei = l and 
e-i = {^i}» (Si; put ei e 2 ) = (S; put l {di}). So we have only to show that (S; put l {di}) c —» error, 
which is immediate by E-PutValErr, since all of the premises hold. 

A.6.4 E-Put-2 

E-Put-2: a = (S; put ei e 2 ), and o a = (Si; put ei e' 2 ). 

Given: 
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- (£; put ei e 2 ) *—* (£ 2 ; put ei e' 2 ), and 

- (£; put ei e 2 ) '—* a b . 


To show: There exists a c such that 

- (£2; put ei e 2 ) *—* <j c , and 

- a b ‘—♦ cr c . 

From the premise of E-Put-2, we have that (£; e 2 ) 5 —> (£ 2 ; e 2 ). 

We proceed by subcases, on the last rule in the derivation of (£; put e\ e 2 ) c —» a b . By the operational 
semantics, there are seven possibilities: E-Put-2/E-Refl, E-Put-2/E-Put-1, E-Put-2/E-Put-2, E-Put- 
2/E-PutVal, E-Put-2/E-PutErr- 1 , E-Put-2/E-PutErr-2, and E-Put-2/E-PutValErr. 

- E-Put-2/E-Refl: 

Analogous to the E-Refl/E-Put-2 case, with cr a and a b reversed. 

- E-Put-2/E-Put- 1: 

Analogous to the E-Put- 1 /E-Put-2 case, with cr a and <r b reversed. 

- E-Put-2/E-Put-2: 

In this case, we have the following facts: 

* a b = (S b2 ; put ei e b2 ), and 

* (5; e 2 ) 5 —> (£& 2 ; e b2 ). 

Since (£; e 2 ) '—> (,S' 2 ; e 2 ) and (£; e 2 ) e —» (S b2 : e b2 ), we have by IH that there exists <j C2 such that 
(£2; e 2 ) *—» a C2 and (£& 2 ; e b2 ) *—> o C2 . Either a C2 is error, or it is some non-error configuration 

<S C2 ; e C2 ). 

We’re required to show that there exists <j c such that 

* (£ 2 ; put e\ e 2 ) ?—> cr c , and 

* (£ b2 ; put ei e b2 ) '—> a c . 

We consider the following possibilities, one of which must hold. 

1. a C2 = error. 

Then, since (£ 2 ; e 2 ) c —> error, we have by E-PutErr-2 that (£ 2 ; put ei e 2 ) * —> error. Likewise, 
since (S b2 -, e t>2 ) c —» error, we have by E-PutErr-2 that (,S' ; , 2 : put e-, e t)2 ) c —> error. Therefore 
a c = error. 

2 . cj C2 = (£ C2 ; e C2 ). 

Then, since (£ 2 ; e 2 ) e —> (£ C2 ; e C2 ), we have by E-Put- 2 that (£ 2 ; putei e 2 ) <—* (£ C2 ; putei e C2 ). 
Likewise, since (£b 2 ; e b2 ) c —» (£ C2 ; e C2 ), we have by E-Put- 2 that (£j, 2 ; putei eb 2 ) c —» (S C2 ; putei 
Therefore a c = (£ C2 ; put e\ e C2 ). 

- E-Put-2/E-PutVal: 

In this case, we have the following facts: 

* (£; put ei e 2 ) = (£; put l {di}}, 

* a b = (£[/ HdiU d 2 ]; {}}, and 

* £(/) = d -2 Adi e D A d\ Ud 2 ^ T (from the premises of E-PutVal). 

We’re required to show that there exists <t c such that 

* (£ 2 ; put ei e 2 ) 5 —* a c , and 

* <£[Z h- di u tfe]; {})^<T C . 
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Choose a c = (S[Z i-> d\ U d 2 ]; {}}• We have from E-Refl that (S[l i—>■ di LI d 2 ]; {}) c —* (S[l i—► dx U 
d 2 ]; {}), so it remains to show that (S 2 ; put ei e 2 ) 6 —¥ (S[i i—► di LI d 2 ]; {}). 

From the premise of E-Put-2, we have that ( S ; e 2 ) '—> (S 2 ; e' 2 ). But e 2 = {di}, a value, so it must be 
the case that e 2 = e 2 and S = S 2 . Therefore, (S 2 ; put e\ e' 2 ) = (S; put e± e 2 ). Further, since e\ = l and 
e 2 = {di}, (S 2 ; put ei e 2 ) = (S; put l {di}). So we have only to show that (S; put l {di}) 5 —* (S[l h-> 
d\ U d 2 ]; {}}, which is immediate by E-PutVal, since all of the premises hold. 

E-Put-2/E-PutErr- 1: 

In this case, we have the following facts: 

* fib = error, and 

* (S; ei) 1 —* error (from the premise of E-PutErr-1). 

We’re required to show that there exists cr c such that 

* (S 2 ; put ei e 2 ) £ —> a c , and 

* error =—> <j c . 

Choose (t c = error. We have immediately that error 5 —» error by E-ReflErr, so it remains to show 
that (S 2 ; put e\ e 2 ) c —» error. 

Since (S; ei) c —*• error, we have by E-PutErr-1 that (S; put ex e' 2 ) c —» error. So, since S S 2 , we 
have by Lemma|5]that (S 2 ; put e\ e 2 ) c —> error, as we were required to show. 

E-Put-2/E-PutErr-2: 

In this case, we have the following facts: 

* iTb = error, and 

* (S; e 2 ) c —> error (from the premise of E-PutErr-2). 

We’re required to show that there exists a c such that 

* (S 2 ; put ei e 2 ) c —* a c , and 

* error c —> a c . 

Choose (t c = error. We have immediately that error 5 — » error by E-ReflErr, so it remains to show 
that (S 2 ; put ei e 2 ) c —> error. 

Since {S\ e 2 ) c —> error and (5; e 2 ) c —* (S 2 ; e 2 ) (from the premise of E-Put- 2, above), we have by IH 
that there exists a C2 such that error 5 —> a C2 and (5 2 ; e 2 ) <—> a C2 . Since error can only step to error, 
a C2 = error. 

Therefore, (S2; e 2 ) c —> error, so we have that (5 2 ; put e\ e 2 ) 5 —> error by E-PutErr- 2, as we were 
required to show. 

E-Put-2/E-PutValErr: 

In this case, we have the following facts: 

* (S-, put ei e 2 ) = (S; put l {di}>, 

* tJb = error, and 

* S(l) = d 2 A di e D A di U d 2 = T (from the premises of E-PutValErr). 

We’re required to show that there exists a c such that 

* (5 2 ; put ei e 2 ) c —* a c , and 

* error =—* cr c . 

Choose < 7 c = error. We have from E-Refl-Err that error <= — > error, so it remains to show that 

{S 2 ; put e x e' 2 ) ‘—> error. 

From the premise of E-Put-2, we have that {S\ e 2 ) c —> (S 2 \ e 2 ). But e 2 = {di}, a value, so it must be 
the case that e 2 = e 2 and S = S 2 . Therefore, (S 2 ; put e\ e' 2 ) = (S', put e\ e 2 ). Further, since e\ = l and 
e 2 = {di}, (S 2 ; put ei e 2 ) = (S'; put l {di}). So we have only to show that (S; put l {di}) c —> error, 
which is immediate by E-PutValErr, since all of the premises hold. 
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A.6.5 E-Get-1 


• E-Get-1: a = (S; get e\ e 2 ), and u a = (Si; get e' x e 2 ). 

Given: 

- (S; get e\ e 2 ) =—* (S,; get e\ e 2 ), and 

- (S: get ei e 2 ) *—» a b . 

To show: There exists a c such that 

- (Si; get e[ e 2 ) *—» <r c , and 

- a b <■—* a c . 

From the premise of E-Get-1, we have that (S; e\) c —* (Si; e \). 

We proceed by subcases, on the last rule in the derivation of (S; get ei e 2 ) c —> a b . By the operational 
semantics, there are six possibilities: E-Get- 1/E-Refl, E-Get-1/E-Get-1, E-Get-I/E-Get-2, E-Get-1/E- 
GetVal, E-Get-1/E-GetErr- 1, and E-Get- 1/E-GetErr-2. 

- E-Get-1/E-Refl: 

Analogous to the E-Refl/E-Get- 1 case, with a a and a b reversed. 

- E-Get- 1/E-Get- 1: 

Analogous to E-Put-1/E-Put-1. 

- E-Get-I/E-Get-2: 

Analogous to E-Put- I/E-Put-2. 

- E-Get-1/E-GetVal: 

In this case, we have the following facts: 

* ( S ; get e\ e 2 ) = (5; get l Q }, 

* a b = {S ; {di}), and 

* S(l) = d 2 A incomp{Q) A Q C D A d, e Q Adi Q ch (from the premises of E-Get Val). 

We’re required to show that there exists a c such that 

* (Si; get e[ e 2 ) ?—* a c , and 

* (S; {di}} <7 C . 

Choose a c = (S: {di}). We have from E-Refl that (S'; {di}} c —> (S; {di}}, so it remains to show that 
(Si; get e' x e 2 ) c —> (S; {dj}). 

From the premise of E-Get-1, we have that (S; ei) «—f (Si; e\) . Butei = l, a value, so it must be the 
case that ei = e\ and S = Si. Therefore, (Si; get e'i e 2 ) = (S; get ei e 2 ). Further, since ei = l and 
e 2 = Q, (Si; get e| e 2 ) = (S; get l Q). So we have only to show that (S; get l Q) c —> (S; {di}), which 
is immediate by E-GetVal, since all of the premises hold. 

- E- Get- 1 /E- GetErr- 1: 

Analogous to E-Put- 1/E-PutErr-1. 

- E-Get- 1/E-GetErr-2: 

Analogous to E-Put- 1/E-PutErr-2. 
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A.6.6 E-Get-2 


• E-Get-2: a = (S; get ei e2}, and a a = (Si; get e\ e 2 ). 

Given: 

- (S; get ei e 2 ) ‘—» (S 2 ; get ei e 2 ), and 

- (S; get ei e 2 ) <■—* a b . 

To show: There exists a c such that 

- (S 2 ; get e\ e 2 ) i —» a c , and 

- a b *—>■ <t c . 

From the premise of E-Get- 2, we have that (S; e 2 ) »—* (S 2 ; e 2 ). 

We proceed by subcases, on the last rule in the derivation of (S; get ei e 2 ) «—> a b . By the operational 
semantics, there are six possibilities: E-Get-2/E-Refl, E-Get-2/E-Get-1, E-Get-2/E-Get-2, E-Get-2/E- 
GetVal, E-Get-2/E-GetErr- 1 and E-Get-2/E-GetErr-2. 

- E-Get-2/E-Refl: 

Analogous to the E-Refl/E-Get- 2 case, with a a and a b reversed. 

- E-Get-2/E-Get- 1: 

Analogous to E-Put-2/E-Put-1. 

- E-Get-2/E-Get-2: 

Analogous to E-Put-2/E-Put-2. 

- E-Get-2/E-GetVal: 

In this case, we have the following facts: 

* (S; get ei e 2 ) = (S; get l Q }, 

* a b = ( S ; {di}), and 

* S(l) = d,2 A incomp{Q) A Q C A </-| e Q Adi Q ch (from the premises of E-Get Val). 

We’re required to show that there exists a c such that 

* (S 2 ; get e\ e 2 ) 5 —» a c , and 

* (5; {d!}} <7 C . 

Choose a c = (5; {d -[}). We have from E-Refl that (S; {<:h }) c —> (5; {/i,}), so it remains to show that 
(S 2 ; get e t e' 2 ) (S: {d a }). 

From the premise of E-Get-2, we have that (S: e 2 ) <; —* (S 2 ; e 2 ). But e 2 = Q, a value, so it must be the 
case that e 2 = e 2 and S = S 2 - Therefore, (S 2 ; get e\ e 2 ) = {S; get e\ e 2 ). Further, since e\ = l and 
e 2 = Q, (5 2 ; get ei e 2 ) = (5; get l Q). So we have only to show that (5; get l Q) c —> (S'; {di}), which 
is immediate by E-GetVal, since all of the premises hold. 

- E-Get-2/E-GetErr- 1: 

Analogous to E-Put-2/E-PutErr-1. 

- E-Get-2/E-GetErr-2: 

Analogous to E-Put-2/E-PutErr-2. 
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A.6.7 E-Convert 


• E-Convert: a = (S; convert e), and a a = (S'; convert e'). 

Given: 

- (S; convert e) 1 —*■ (S'; convert e'), and 

- (S; convert e) <—» a b . 

To show: There exists a c such that 

- (S'; convert e') *—> <r c , and 

- a b ‘—* a c . 

From the premise of E-Convert, we have that (S; e) c —* (S'; e'}. 

We proceed by subcases, on the last rule in the derivation of (S; convert e) r—> a b . By the operational seman¬ 
tics, there are four possibilities: E-Convert/E-Refl, E-Convert/E-Convert, E-Convert/E-ConvertVal, 
and E-Convert/E-ConvertErr. 

- E-Convert/E-Refl: 

Analogous to the E-Refl/E-Convert case, with a„ and a b reversed. 

- E-Convert/E-Convert: 

In this case, we have the following facts: 

* cr b = (S b ; convert e b ), and 

* (S; e) *—*■ (S b ; e b ) (from the premise of E-Convert). 

Since (S; e) «—> (S'; e') and (S; e) e —> (S b ; e b ), we have by IH that there exists a' c such that (S'; e ')«—» 
a' c and (S b ; e b ) c —» <j' c . Either a' c is error, or it is some non-error configuration (S' c ; e' c ). 

We’re required to show that there exists a c such that 

* (S'; convert e!) c —> a c , and 

* (S b ; convert e b } 5 —> a c . 

We consider the following possibilities, one of which must hold. 

1. a' c = error. 

Then, since (S'; e') c —> error, we have by E-ConvertErr that (S'; convert e') c —> error. Like¬ 
wise, since (S';,; e b ) c —> error, we have by E-ConvertErr that (S h : convert e b ) 5 —> error. There¬ 
fore (7 c = error. 

2. a' = (S'; <). 

Then, since (S'; e'} « — > (S'; e' c ), we have by E-Convert that (S'; convert e') c — > (S'; converted). 
Likewise, since (S b ; e b ) c —> (S'; e' c ), we have by E-Convert that (S b : convert eb) c —> (S'; converted). 
Therefore cr c = (S'; convert e' c ). 

- E-Convert/E-ConvertVal: 

In this case, we have the following facts: 

* (S; convert e) = (S; convert Q ), and 

* (7 b = (S; 5(Q)). 

We’re required to show that there exists a c such that 

* (S'; convert e'} «—> a c , and 

* (S; 5(Q)) — a c . 
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Choose a c = (S; 6(Q)). We have from E-Refl that (S; 6(Q)) c — r ( S ; S(Q)}, so it remains to show that 
(S'; convert e'} c —> ( S ; 5(Q)). 

From the premise of E-Convert, we have that ( S ; e) c —> (S'; e'). Bute = Q, a value, so it must be the 
case that e = e! and S = S'. Therefore, (S': convert e') = ( S; convert Q). So we have only to show that 
(S; convert Q) c —> (S; S(Q)), which is immediate by E-ConvertVal. 

- E-Convert/E-ConvertErr: 

In this case, we have the following facts: 

* cr b = error, and 

* (S; e) e —> error (from the premise of E-ConvertErr). 

We’re required to show that there exists cr c such that 

* (S'; convert e') %—» a c , and 

* error *—> u c . 

Choose <j c = error. We have immediately that error 5 —> error by E-ReflErr, so it remains to show 
that (S'; convert e') e —> error. 

Since (S; e} c —> error and (S; e) «—> (S'; e') (from the premise of E-Convert, above), we have by 
IH that there exists <j' c such that error c —> a' c and (S'; e') c —> a' c . Since error can only step to error, 
cr' = error. 

Therefore, (S'; e!) *—» error, so we have that (S'; convert e') c —> error by E-ConvertErr, as we 
were required to show. 

A.6.8 E-Beta 

• E-Beta: a = (S; (A®, e) v), and a a = (S; e[x := v}). 

Given: 

- (S; (Ax. e) v) <-—> (S; e[x := u]), and 

- (S; (Ax. e) v) *—> a b . 

To show: There exists <j c such that 

- e[x := v]) — <r,-, and 

- a b <■—» <t c . 

We proceed by subcases, on the last rule in the derivation of (S; (Ax. e) v) c —*■ a b . By the operational 
semantics, there are six possibihties: E-Beta/E-Refl, E-Beta/E-ParApp, E-Beta/E-Beta, E-Beta/E- 
AppErr-1, E-Beta/E-AppErr- 2, and E-Beta/E-ParAppErr. 

- E-Beta/E-Refl: 

Analogous to the E-Refl/E-Beta case, with a a and a b reversed. 

- E-Beta/E-ParApp: 

Analogous to the E-ParApp/E-Beta case, with cr a and <r b reversed. 

- E-Beta/E-Beta: 

In this case, by the operational semantics, a b = (S; e[x := t>]). Since cr a = a b = (S; e[x := u]), choose 
a c = (S; e[x := u]). By E-Refl, both <j a and cr b step to <r c , as we were required to show. 

- E-Beta/E-AppErr- 1: 

For this case to occur, we would need to have (S; (Ax. e)) e —» error (from the premise of E-AppErr- 1. 
But (Ax. e) is a value (and S ^ Tg), so (S; (Ax. e)) can only step to (S; (Ax. e)), not error. Therefore, 
this case cannot occur. 
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- E-Beta/E-AppErr-2: 

For this case to occur, we would need to have (S; v) c —> error (from the premise of E-AppErr-2. But 
v is a value (and S 7^ Tg), so (S; v) can only step to (S; v), not error. Therefore, this case cannot occur. 

- E-Beta/E-ParAppErr: 

For this case to occur, then by the premises of E-ParAppErr, we would need to have (S; (Ax. e)) step to 
some configuration (Si; e\) and to have (S; v) step to some configuration (S2; e' 2 ), where Si U5S2 = Tg. 
But (Aa;. e) and v are values (and S 7^ Tg), so (S; (Ax. e)} can only step to (S; (Aa:. e)) and (S; v) can 
only step to (S; v). Therefore Si = S2 = S, so S-\ Ug S2 = S 7^ Tg, and so this case cannot occur. 

A.6.9 E-New 

E-New: a = (S; new), and cr a = (S[Z _L]; l). 

Given: 

- (S; new) *—» (S[l ^ _L]; 1 ), and 

- (S; new) 1 —> ab. 

To show: There exists a c such that 

- (S[l 1—> _L]; l) c —» a c , and 

(Jb c ^ C7 c . 

We proceed by subcases, on the last rule in the derivation of (S; new) c —> at,. By the operational semantics, 
there are two possibilities: E-New/E-Refl and E-New/E-New. 

- E-New/E-Refl: 

Analogous to the E-Refl/E-New case, with a„ and at, reversed. 

- E-New/E-New: 

In this case, ab = ( S[l’ X]; V). 

To show: There exists a c such that 

* (S[l X]; l) c —» cr c , and 

* (S[l' 1—^ X]; l') a c . 

One of the following two possibilities must hold: 

* V = 1. 

In this case, both (S[l fc# X]; l) and ( S[l' >—> X]; l'} step to (S[l 1—>■ X]; Z) by E-Refl. Therefore 
a r = {S I 1—^ X]; l). 

* V + 1. 

In this case, dom(S[l 1—► X]) — dom(S) = {l}, and V dom(S[l 1—> X]) (since, by the side condition 
of E-New, 1 £ dom(S), and since 1/ 7^ l. Therefore, by Definition[8] ( S[l 1—> X]; l ) is a safe renaming 
of ( S[l' i—^ X]; l'). Stepping both configurations by E-Refl, we have that a c = (5[( i-> X]; Z) or a 
safe renaming thereof. Therefore the case holds up to safe renamings of a c . 

A.6.10 E-PutVal 

E-PutVal: a = (5; put l {di}), and a a = (S[l 1—► U d 2 \\ {})• 

Given: 

- (S'; put l {di}) *—+ (S[l 1—^ d\ LI da]; {}), and 
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- (,S put Z {rfi}) <—► a b . 

To show: There exists a c such that 

- (S[l HdiU d 2 ]; {}) % —* o"c> and 

- a b <■—i a c . 

We proceed by subcases, on the last rule in the derivation of (S; put l {d,\ }) c —» a b . By the operational 
semantics, there are seven possibilities: E-PutVal/E-Refl, E-PutVal/E-Put-1, E-PutVal/E-Put-2, E- 
PutVal/E-PutVal, E-PutVal/E-PutErr- 1, E-PutVal/E-PutErr- 2, and E-PutVal/E-PutValErr. 

- E-PutVal/E-Refl: 

Analogous to the E-Refl/E-PutVal case, with cr a and <j b reversed. 

- E-PutVal/E-Put-1: 

Analogous to the E-Put-1/E-PutVal case, with cr a and a b reversed. 

- E-Put Val/E-Put-2: 

Analogous to the E-Put-2/E-PutVal case, with rr a and <r b reversed. 

- E-PutVal/E-PutVal: 

In this case, by the operational semantics, cr b = (S[l d-\ U d 2 ]; {}}• Since <j a = a b = (S[Z i—» d,-\ LI 
d 2 ]; {}}, choose cr c = (S[l d-\ U rf 2 ]; {}}. By E-Refl, both <t„ and a b step to cr c , as we were required 
to show. 

- E-Put Val/E-PutErr-1: 

For this case to occur, we would need to have ( S ; l) e —> error (from the premise of E-PutErr- 1. But l 
is a value (and S ^ Tg), so (5; l) can only step to {S\ l), not error. Therefore, this case cannot occur. 

- E-Put Val/E-PutErr-2: 

For this case to occur, we would need to have (S; {d-\ }) *—> error (from the premise of E-PutErr-1. 
But {di} is a value (and S ± Tg), so (S-, {d- t }) can only step to (S'; {d 2 }}, not error. Therefore, this case 
cannot occur. 

- E-PutVal/E-PutValErr: 

For this case to occur, we would need to have d\ U d 2 = T (from the last premise of E-Put ValErr). But 
we have that d\ U d 2 ^ T from the last premise of E-PutVal. Therefore, this case cannot occur. 

A.6.11 E-GetVal 

• E-GetVal: a = (S; get l Q), and <r a = (S; {di}). 

Given: 

- (S; get l Q) (S; {di}), and 

- (S; get l Q) =—> a b . 

To show: There exists a c such that 

- (S; {di}) *-* (T c , and 

- a b ‘—* cr c . 

We proceed by subcases, on the last rule in the derivation of (S; get l Q) £ —> a b . By the operational semantics, 
there are six possibilities: E-Get Val/E-Refl, E-GetVal/E-Get-1, E-GetVal/E-Get-2, E-Get Val/E- 
GetVal, E-GetVal/E-GetErr- 1, and E-GetVal/E-GetErr-2. 
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- E-GetVal/E-Refl: 

Analogous to the E-Refl/E-GetVal case, with a a and <Jb reversed. 

- E-GetVal/E-Get- 1: 

Analogous to the E-Get-1/E-GetVal case, with a a and a b reversed. 

- E-GetVal/E-Get-2: 

Analogous to the E-Get-2/E-GetVal case, with a a and cr b reversed. 

- E-GetVal/E-GetVal: 

In this case, by the operational semantics, 07, = (S; {H }). Since <r a = a b = (S; {d -\}), choose a c = 
(S; {d -\}). By E-Refl, both <t„ and a b step to <r c , as we were required to show. 

- E-GetVal/E-GetErr- 1: 

For this case to occur, we would need to have (S; l) c — > error (from the premise of E-GetErr- 1 . But l 
is a value (and S ^ Tg), so (S; l) can only step to (S; l), not error. Therefore, this case cannot occur. 

- E-GetVal/E-GetErr-2: 

For this case to occur, we would need to have (S; Q) c —> error (from the premise of E-GetErr-2. But 
Q is a value (and S ^ Tg), so (S; Q) can only step to (S; Q), not error. Therefore, this case cannot occur. 

A.6.12 E-ConvertVal 

E-ConvertVal: a = (S; convert Q), and a a = (S; S(Q)). 

Given: 

- (S; convert Q) c —> (S; 6(Q)), and 

- (S; convert Q) c —> a b . 

To show: There exists <j c such that 

- (S; 5(Q)) i —» cr c , and 

(Jb c ^ CT c . 

We proceed by subcases, on the last rule in the derivation of (5; convert Q) c —> a b . By the operational seman¬ 
tics, there are four possibilities: E-Convert Val/E-Refl, E-Con vert Val/E-Convert, E-Con vert Val/E- 
ConvertVal, and E-ConvertVal/E-ConvertErr. 

- E-ConvertVal/E-Refl: 

Analogous to the E-Refl/E-ConvertVal case, with <j a and ab reversed. 

- E-ConvertVal/E-Convert: 

Analogous to the E-Convert/E-ConvertVal case, with a a and ab reversed. 

- E-ConvertVal/E-ConvertVal: 

In this case, by the operational semantics, a b = (5; HQ))- Since a a = ab = (S'; S(Q)), choose a c = 
(S; S(Q)). By E-Refl, both a a and a b step to a c , as we were required to show. 

- E-ConvertVal/E-ConvertErr: 

For this case to occur, we would need to have (S; Q) 1 —» error (from the premise of E-ConvertErr. 
But Q is a value (and S H Ts)> so (S; Q) can only step to (S; Q), not error. Therefore, this case cannot 
occur. 
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A.6.13 E-ReflErr 


E-ReflErr: a = error, and a a = error. 

Given: 

- error 5 —> error, and 

- error <—» a b . 

To show: There exists a c such that 

- error<—»<r c , and 

- CTfe ‘-> <7 C . 

For all subcases E-ReflErr/*, choose a c = error. 

To show: 

- error 5 —> error, which is immediate from E-ReflErr, and 

- crfc c —> error, which follows from the fact that error c —> a b , so since error can only step to error, 
cr b = error. 


A.6.14 E-AppErr- 1 

E-AppErr-1: ct = (S'; e\ e 2 ), and o a = error. 

Given: 

- (S; ei e 2 ) e —> error, and 

- (S; ei e 2 ) c —> a b . 

To show: There exists a c such that 

- error 5 —> a c , and 

- CTfe ‘-> <T C . 

Choose a c = error. We have immediately that error c —> error by E-ReflErr, so it remains to show that 

a b «—» error. 

We proceed by subcases, on the last rule in the derivation of ( S ; e\ e 2 ) *—> a b . By the operational seman¬ 
tics, there are seven possibilities: E-AppErr- 1/E-Refl, E-AppErr-1/E-ParApp, E-AppErr-1/E-Beta, 
E-AppErr-1/E-ReflErr, E-AppErr-1/E-AppErr-1, E-AppErr- 1/E-AppErr-2, and E-AppErr-1/E- 
ParAppErr. 

- E-AppErr- 1/E-Refl: 

Analogous to the E-Refl/E-AppErr- 1 case, with <t„ and a b reversed. 

- E-AppErr-1/E-ParApp: 

Analogous to the E-ParApp/E-AppErr- 1 case, with cr a and a b reversed. 

- E-AppErr- 1/E-Beta: 

Analogous to the E-Beta/E-AppErr- 1 case, with <j a and a b reversed. 

- E-AppErr-1 /E-ReflErr: 

Analogous to the E-ReflErr/E-AppErr- 1 case, with cr a and a b reversed. 
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- E-AppErr- 1/E-AppErr- 1: 

Choose a c = error. By E-AppErr-1, cr b = error, so by E-ReflErr, both a„ and o>, step to error, as 
desired. 

- E-AppErr- 1/E-AppErr-2: 

Choose <7 C = error. By E-AppErr-2, a b = error, so by E-ReflErr, both a n and a b step to error, as 
desired. 

- E-AppErr-1 /E-ParAppErr: 

Choose cr c = error. By E-ParAppErr, a b = error, so by E-ReflErr, both <j a and a b step to error, as 
desired. 

A.6.15 E-AppErr-2 

E-AppErr-2: a = (S'; e\ e 2 ), and o a = error. 

Given: 

- (S; ei e 2 ) *—> error, and 

- (S; ei e 2 ) c —* a b . 

To show: There exists a c such that 

- error 5 —*• a c , and 

- cr b c —♦ a c . 

Choose a c = error. We have immediately that error c —» error by E-ReflErr, so it remains to show that 

a b c —> error. 

We proceed by subcases, on the last rule in the derivation of (S; e\ e 2 ) 4 —> a b . By the operational seman¬ 
tics, there are seven possibilities: E-AppErr-2/E-Refl, E-AppErr-2/E-ParApp, E-AppErr-2/E-Beta, 
E-AppErr-2/E-ReflErr, E-AppErr-2/E-AppErr-1, E-AppErr-2/E-AppErr-2, and E-AppErr-2/E- 
ParAppErr. 

- E-AppErr-2/E-Refl: 

Analogous to the E-Refl/E-AppErr-2 case, with a„ and a b reversed. 

- E-AppErr-2/E-ParApp: 

Analogous to the E-ParApp/E-AppErr-2 case, with cr a and a b reversed. 

- E-AppErr-2/E-Beta: 

Analogous to the E-Beta/E-AppErr- 2 case, with a a and a b reversed. 

- E-AppErr-2/E-ReflErr: 

Analogous to the E-ReflErr/E-AppErr-2 case, with <j a and a b reversed. 

- E-AppErr-2/E-AppErr- 1: 

Analogous to the E-AppErr-1/E-AppErr-2 case, with <j a and cr b reversed. 

- E-AppErr-2/E-AppErr-2: 

Choose a c = error. By E-AppErr-2, a b = error, so by E-ReflErr, both a„ and a b step to error, as 
desired. 

- E-AppErr-2/E-ParAppErr: 

Choose <j c = error. By E-ParAppErr, a b = error, so by E-ReflErr, both <j a and a b step to error, as 
desired. 
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A.6.16 E-ParAppErr 


E-ParAppErr: a = (S'; e\ e 2 ), and a a = error. 

Given: 

- (S; ei e 2 ) c —► error, and 

- (S; ei e 2 ) «■—* cr b . 

To show: There exists cr c such that 

- error 5 —» a c , and 

- CTfe ‘-► <T C . 

Choose a c = error. We have immediately that error <—> error by E-ReflErr, so it remains to show that 

a b <—» error. 

We proceed by subcases, on the last rule in the derivation of (S; e\ e 2 ) *—* a b . By the operational seman¬ 
tics, there are seven possibilities: E-ParAppErr/E-Refl, E-ParAppErr/E-ParApp, E-ParAppErr/E- 
Beta, E-ParAppErr/E-ReflErr, E-ParAppErr/E-AppErr-1, E-ParAppErr/E-AppErr-2, and E- 
ParAppErr/E-ParAppErr. 

- E-ParAppErr/E-Refl: 

Analogous to the E-Refl/E-ParAppErr case, with <j a and a b reversed. 

- E-ParAppErr/E-ParApp: 

Analogous to the E-ParApp/E-ParAppErr case, with a a and c b reversed. 

- E-ParAppErr/E-Beta: 

Analogous to the E-Beta/E-ParAppErr case, with cr a and a b reversed. 

- E-ParAppErr/E-ReflErr: 

Analogous to the E-ReflErr/E-ParAppErr case, with a,, and <r b reversed. 

- E-ParAppErr/E-AppErr-1: 

Analogous to the E-AppErr-1 /E-ParAppErr case, with o a and a b reversed. 

- E-ParAppErr/E-AppErr-2: 

Analogous to the E-AppErr-2/E-ParAppErr case, with <t„ and a b reversed. 

- E-ParAppErr/E-ParAppErr: 

Choose <j c = error. By E-ParAppErr, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

A.6.17 E-PutErr-1 

E-PutErr-1: ct = (5; put e\ e 2 ), and <j a = error. 

Given: 

- 

- {S 

To show 

- error <—*• <r c , and 

- CTfe ‘-* <7 C . 


; put e x e 2 ) =—> error, and 
; put ei e 2 ) *—* a b . 

: There exists cr c such that 
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Choose a c = error. We have immediately that error c —\ error by E-ReflErr, so it remains to show that 
<76'—> error. 

We proceed by subcases, on the last rule in the derivation of (S; put ei e2) '—» 07,. By the operational seman¬ 
tics, there are eight possibilities: E-PutErr-1/E-Refl, E-PutErr-1/E-Put-1, E-PutErr-1/E-Put-2, E- 
PutErr-1/E-PutVal, E-PutErr-1/E-ReflErr, E-PutErr-1/E-PutErr-1, E-PutErr-1/E-PutErr- 
2, and E-PutErr-1/E-PutValErr. 

- E-PutErr- 1/E-Refl: 

Analogous to the E-Refl/E-PutErr- 1 case, with <j a and 07, reversed. 

- E-PutErr- 1 /E-Put- 1: 

Analogous to the E-Put-1/E-PutErr- 1 case, with cr a and 07, reversed. 

- E-PutErr- I/E-Put-2: 

Analogous to the E-Put-2/E-PutErr- 1 case, with a a and 07, reversed. 

- E-PutErr-1/E-PutVal: 

Analogous to the E-PutVal/E-PutErr- 1 case, with <j a and 07, reversed. 

- E-PutErr-1 /E-ReflErr: 

Analogous to the E-ReflErr/E-PutErr- 1 case, with a a and 07, reversed. 

- E-PutErr- 1 /E-PutErr- 1: 

Choose a c = error. By E-PutErr-1, 07, = error, so by E-ReflErr, both a a and 07, step to error, as 
desired. 

- E-PutErr- 1/E-PutErr-2: 

Choose a c = error. By E-PutErr-2, a & = error, so by E-ReflErr, both cr a and <76 step to error, as 
desired. 

- E-PutErr-1/E-PutValErr: 

Choose a c = error. By E-PutValErr, a b — error, so by E-ReflErr, both a 0 and 07, step to error, as 
desired. 

A.6.18 E-PutErr-2 

E-PutErr-2: a = (S; put ei e 2 ), and a a = error. 

Given: 

- (S'; put ei e 2 ) '—♦ error, and 

- (S; put ei e 2 ) *—* u b . 

To show: There exists cr c such that 

- error 5 —* a c , and 
&b c ^ <J C - 

Choose a c = error. We have immediately that error c —* error by E-ReflErr, so it remains to show that 
(76«—> error. 

We proceed by subcases, on the last rule in the derivation of (S; put ei e 2 ) '—* cr b . By the operational seman¬ 
tics, there are eight possibilities: E-PutErr-2/E-Refl, E-PutErr-2/E-Put-1, E-PutErr-2/E-Put-2, E- 
PutErr-2/E-PutVal, E-PutErr-2/E-ReflErr, E-PutErr-2/E-PutErr-1, E-PutErr-2/E-PutErr- 
2, and E-PutErr-2/E-PutValErr. 
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- E-PutErr-2/E-Refl: 

Analogous to the E-Refl/E-PutErr-2 case, with <j a and a b reversed. 

- E-PutErr-2/E-Put- 1: 

Analogous to the E-Put- 1/E-PutErr- 2 case, with a a and a b reversed. 

- E-PutErr-2/E-Put-2: 

Analogous to the E-Put-2/E-PutErr-2 case, with a a and cr b reversed. 

- E-PutErr-2/E-PutVal: 

Analogous to the E-PutVal/E-PutErr-2 case, with a a and a b reversed. 

- E-PutErr-2/E-ReflErr: 

Analogous to the E-ReflErr/E-PutErr- 2 case, with cr a and cr b reversed. 

- E-PutErr-2/E-PutErr- 1: 

Analogous to the E-PutErr-1/E-PutErr-2 case, with <j a and cr b reversed. 

- E-PutErr-2/E-PutErr-2: 

Choose a c = error. By E-PutErr-2, a b = error, so by E-ReflErr, both o a and a b step to error, as 
desired. 

- E-PutErr-2/E-PutValErr: 

Choose cr c = error. By E-PutValErr, a b = error, so by E-ReflErr, both a a and cr b step to error, as 
desired. 

A.6.19 E-GetErr-1 

E-GetErr-1: a = (S; put ei e 2 ), and o a = error. 

Given: 

- (S; put ei e 2 ) *—♦ error, and 

- (S; put ei e 2 ) «•—> cr b . 

To show: There exists a c such that 

- error 5 —* a c , and 

- cr b <■—» a c . 

Choose a c = error. We have immediately that error c —» error by E-ReflErr, so it remains to show that 

a b '—> error. 

We proceed by subcases, on the last rule in the derivation of (S'; put ei e 2 ) e —> a b . By the operational se¬ 
mantics, there are seven possibilities: E-GetErr-1/E-Refl, E-GetErr-1/E-Get-1, E-GetErr-1/E-Get- 
2, E-GetErr-1/E-GetVal, E-GetErr-1/E-ReflErr, E-GetErr-1/E-GetErr-1, and E-GetErr-1/E- 
GetErr-2. 

- E-GetErr-1/E-Refl: 

Analogous to the E-Refl/E-GetErr- 1 case, with cr„ and a b reversed. 

- E-GetErr-1/E-Get- 1: 

Analogous to the E-Get- 1 /E-GetErr-1 case, with cr a and a b reversed. 

- E-GetErr-I/E-Get-2: 

Analogous to the E-Get-2/E-GetErr-1 case, with <j a and cr b reversed. 

- E-GetErr- 1/E-GetVal: 

Analogous to the E-GetVal/E-GetErr-1 case, with a a and a b reversed. 
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- E-GetErr-1/E-ReflErr: 

Analogous to the E-ReflErr/E-GetErr-1 case, with <j a and a b reversed. 

- E-GetErr- 1/E-GetErr- 1: 

Choose a c = error. By E-GetErr- 1 , a b = error, so by E-ReflErr, both o a and a b step to error, as 
desired. 

- E-GetErr-1/E-GetErr-2: 

Choose <7 C = error. By E-GetErr-2, <j b = error, so by E-ReflErr, both a,, and a b step to error, as 
desired. 

A.6.20 E-GetErr-2 

E-GetErr-2: a = {S; get e\ e 2 ), and o a = error. 

Given: 

- (S; get ei e 2 ) *—> error, and 

- {S; get e\ e 2 ) ‘—> cr b . 

To show: There exists a c such that 

- error 5 —> a c , and 

- cr b c —* a c . 

Choose a c = error. We have immediately that error c —> error by E-ReflErr, so it remains to show that 
a b '—► error. 

We proceed by subcases, on the last rule in the derivation of (5; get e\ e 2 ) '—> a b . By the operational se¬ 
mantics, there are seven possibilities: E-GetErr-2/E-Refl, E-GetErr-2/E-Get-1, E-GetErr-2/E-Get- 
2, E-GetErr-2/E-GetVal, E-GetErr-2/E-ReflErr, E-GetErr-2/E-GetErr-1, and E-GetErr-2/E- 
GetErr-2. 

- E-GetErr-2/E-Refl: 

Analogous to the E-Refl/E-GetErr-2 case, with <r a and cr b reversed. 

- E-GetErr-2/E-Get- 1: 

Analogous to the E-Get- 1/E-GetErr-2 case, with <r a and cr b reversed. 

- E-GetErr-2/E-Get-2: 

Analogous to the E-Get-2/E-GetErr-2 case, with cr a and a b reversed. 

- E-GetErr-2/E-GetVal: 

Analogous to the E-GetVal/E-GetErr-2 case, with a n and a b reversed. 

- E-GetErr-2/E-ReflErr: 

Analogous to the E-ReflErr/E-GetErr- 2 case, with <r a and a b reversed. 

- E-GetErr-2/E-GetErr- 1: 

Analogous to the E-GetErr-1/E-GetErr-2 case, with a„ and a b reversed. 

- E-GetErr-2/E-GetErr-2: 

Choose <j c = error. By E-GetErr-2, cr b = error, so by E-ReflErr, both a,, and a b step to error, as 
desired. 
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A.6.21 E-ConvertErr 


E-ConvertErr: a = (S; convert e), and a a = error. 

Given: 

- (S\ convert e) c —> error, and 

- (S\ convert e) c —» a b . 

To show: There exists a c such that 

- error<—► a c , and 

(Jb c ^ CT c . 

Choose a c = error. We have immediately that error c —» error by E-ReflErr, so it remains to show that 

a b <=—> error. 

We proceed by subcases, on the last rule in the derivation of (S; convert e) c —> a b . By the operational seman¬ 
tics, there are five possibilities: E-ConvertErr/E-Refl, E-ConvertErr/E-Convert, E-ConvertErr/E- 
ConvertVal, E-ConvertErr/E-ReflErr, and E-ConvertErr/E-ConvertErr. 

- E-ConvertErr/E-Refl: 

Analogous to the E-Refl/E-ConvertErr case, with a a and a b reversed. 

- E-ConvertErr/E-Convert: 

Analogous to the E-Convert/E-ConvertErr case, with a a and a b reversed. 

- E-ConvertErr/E-ConvertVal: 

Analogous to the E-ConvertVal/E-ConvertErr case, with cr a and a b reversed. 

- E-ConvertErr/E-ReflErr: 

Analogous to the E-ReflErr/E-ConvertErr case, with a a and a b reversed. 

- E-ConvertErr/E-ConvertErr: 

Choose <j c = error. By E-ConvertErr, a b = error, so by E-ReflErr, both a a and a b step to error, 
as desired. 

A.6.22 E-PutValErr 

E-PutValErr: a = (S'; put e\ e 2 ), and a a = error. 

Given: 

- (S; put ei e 2 ) *—» error, and 

- (S: put ei e 2 ) *—t u b . 

To show: There exists cr c such that 

- error c —> <r c , and 

- a b ‘—> cr c . 

Choose o c = error. We have immediately that error 5 —> error by E-ReflErr, so it remains to show that 
<j b c —» error. 

We proceed by subcases, on the last rule in the derivation of ( S ; put e\ e 2 ) c —> a b . By the operational seman¬ 
tics, there are eight possibilities: E-PutValErr/E-Refl, E-PutValErr/E-Put-1, E-PutValErr/E-Put- 
2, E-PutValErr/E-PutVal, E-PutValErr/E-ReflErr, E-PutValErr/E-PutValErr, E-PutValErr/E- 
PutErr- 2, and E-PutValErr/E-PutValErr. 
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- E-PutValErr/E-Refl: 

Analogous to the E-Refl/E-PutValErr case, with o a and o/, reversed. 

- E-PutValErr/E-Put- 1: 

Analogous to the E-Put-1/E-PutValErr case, with o„ and er& reversed. 

- E-PutValErr/E-Put-2: 

Analogous to the E-Put-2/E-PutValErr case, with o„ and o>, reversed. 

- E-PutValErr/E-PutVal: 

Analogous to the E-PutVal/E-PutValErr case, with o a and Ob reversed. 

- E-PutValErr/E-ReflErr: 

Analogous to the E-ReflErr/E-PutValErr case, with o„ and oj, reversed. 

- E-PutValErr/E-PutErr- 1: 

Analogous to the E-PutErr-1/E-PutValErr case, with o„ and at reversed. 

- E-PutValErr/E-PutErr-2: 

Analogous to the E-PutErr-2/E-PutValErr case, with o„ and 07, reversed. 

- E-PutValErr/E-PutValErr: 

Choose cr c = error. By E-PutValErr, 07, = error, so by E-ReflErr, both o a and <Jb step to error, as 
desired. 

it 


A.7 Strong One-Sided Confluence 

Lemma 7 (Strong One-Sided Confluence). If o 5 —> o' and a c —> m a", where 1 < to, then there exist o c ,i,j such 
that a ’ c —>* cr c and <j" c — a c and i < m and j < 1. 

Proof. We proceed by induction on to. In the base case of to = 1, the result is immediate from Corollary [l] For the 
induction step, suppose a c —> rn a" c —> a'" and suppose the lemma holds for to. From the induction hypothesis, we 
have that there exist o ' c , i', j' such that o' =—>' o' c and 0 " c —> 3 o' c and i' <m and f < 1. We have two cases: 

• If j' = 0, then a" = o' c . We can then choose o c = o'" and i =» i! + 1 and j = 0. 

• If j' = 1, then from o" c —> o'" and o" c — f' o[. and Corollary [l] we have o" and i" and j" such that 
o'" '— o" and o' c c — o" and i" < 1 and j" < 1. So we also have o' c — o' c c — o". In summary, 
we pick o c = o" and i = i' + j" and j = i", which is sufficient because i = i! + j" < m + 1 and j = i" < 1. 

□ 


A.8 Strong Confluence 

Lemma 8 (Strong Confluence). Ifo c —> n o' and o c —> m o", where 1 <n and 1 < to, f/zen t/iere exist cr c , i, j such 
that o ' 1 —> l cr c and o" c —cr c ane? i < m and j < n. 

Proof We proceed by induction on n. In the base case of n = 1, the result is immediate from Lemma [7] For the 
induction step, suppose o 1 —> n o' c —> o'" and suppose the lemma holds for to. From the induction hypothesis, we 
have that there exist o’ c , i',j' such that o' c —cr' and o" c —cr'. and i' <m and j' < n. We have two cases: 

• If i 7 = 0, then cr 7 = cr 7 ,. We can then choose o c = o'" and i = 0 and j = j' + 1. 

• If i' > 1, then from o' c —» o'" and o' c —r 1 ' crj, and Lemma|7| we have o" and i" and j" such that o'" 5 —cr" 
and cr 7 c —> J o" and i" < i' and j" < 1. So we also have o" 1 —> 3 o' c 1 —> :l o". In summary, we pick 
o c = cr" and i = i" and j = j' + j", which is sufficient because i = i" <i' < to and j = j' + j" < n + 1. 

□ 


60 


